·= Security Advisory =· Issue: Sql injection Vulnerability in EasyMoblog by Umberto Caldera. Discovered Date: 30/01/07 Author: Tal Argoni, LegendaryZion. [talargoni at gmail.com] Product Vendor: http://sourceforge.net/project/showfiles.php?group_id=88633 Ver: easymoblog-0.5.1 Details: EasyMoblog is prone to a Sql Injection Vulnerability. The vulnerability exists in comment_add function, caused by the lack of Input Validation/Filtering of quotation and malicious characters in the GET parameter "i" OR in the POST parameter "post_id". The use of post_details function is done by "add_comment.php" that exist in "libraries.inc.php". Contents of libraries.inc.php: --------------------------------- ... function comment_add ($comment) { ..... $query = " insert into ".CFG_MYSQL_TABPREFIX."comments (comment_author,comment_author_email,comment_text,comment_added,post_id) values ( '".addslashes($comment['comment_author'])."', '".addslashes($comment['comment_author_email'])."', '".addslashes($comment['comment_text'])."', '".time()."', '".$comment['post_id']."' ) "; $res = mysql_query($query); ... Contents of add_comment.php: --------------------------------- ... $form['post_id'] = ''; if(isset($_POST['post_id'])) $form['post_id'] = $_POST['post_id']; elseif(isset($_GET['i'])) $form['post_id'] = $_GET['i']; else exit(); ......... if (count($errors) == 0) { $comment = $form; $comment = comment_add ($comment); Header ("Location: list_comments.php?i=".$comment['post_id']); exit(); ... Exploitation URL: http://www.example.com/easymoblog/add_comment.php?i='[SQL] Successful exploitation may allow execution of Sql code. This could also be exploited to get the passwords, users and a lot of informaion, commit Denial Of Service attacks and more... Proof Of Concept: http://www.example.com/easymoblog/add_comment.php?i='[SQL]