·= Security Advisory =· Issue: Sql injection Vulnerability in EasyMoblog by Umberto Caldera. Discovered Date: 30/01/07 Author: Tal Argoni, LegendaryZion. [talargoni at gmail.com] Product Vendor: http://sourceforge.net/project/showfiles.php?group_id=88633 Ver: easymoblog-0.5.1 Details: EasyMoblog is prone to a Sql Injection Vulnerability. The vulnerability exists in post_details function, caused by the lack of Input Validation/Filtering of quotation and malicious characters in the GET parameter "i". The use of post_details function is done by "list_comments.php" that exist in "libraries.inc.php". Contents of libraries.inc.php: --------------------------------- ... function post_details ($post_id) { if (CFG_USE_PATH_INFO == 'no') $iisbug = '?'; else $iisbug = ''; $query = " select p.*, count(c.post_id) as post_comments, count(tr.post_id) as post_trackback_pings, t.topic_name, concat(t.img_id,'.',i.img_extension) as topic_img from ".CFG_MYSQL_TABPREFIX."posts p left join ".CFG_MYSQL_TABPREFIX."comments c on p.post_id = c.post_id left join ".CFG_MYSQL_TABPREFIX."trackback_pings tr on p.post_id = tr.post_id left join ".CFG_MYSQL_TABPREFIX."topics t on p.topic_id = t.topic_id left join ".CFG_MYSQL_TABPREFIX."images i on t.img_id = i.img_id where p.post_id = '".$post_id."' group by p.post_id "; $res = mysql_query($query); ... Contents of list_comments.php: --------------------------------- ... $post_id = ''; if (isset($_GET['i'])) $post_id = $_GET['i']; $post = post_details ($post_id); ... Exploitation URL: http://www.example.com/easymoblog/list_comments.php?i='[SQL] Successful exploitation may allow execution of Sql code. This could also be exploited to get the passwords, users, and a lot of informaion, commit Denial Of Service attacks and more... Proof Of Concept: http://www.example.com/easymoblog/list_comments.php?i='[SQL]