| vuln.sg Vulnerability Research Advisory |
by Tan Chew Keong 
Summary
Some SQL injection vulnerabilities were fixed in BlognPlus version 2.5.5. However, several other pre-authentication SQL injection vulnerabilities still exist. When exploited, these vulnerabilities allow an anonymous attacker to execute arbitrary SQL statements on an affected system.
Tested Versions
Details
Some SQL injection vulnerabilities were fixed in BlognPlus version 2.5.5. However, several other pre-authentication SQL injection vulnerabilities still exist. When exploited, these vulnerabilities allow an anonymous attacker to execute arbitrary SQL statements on an affected system. The index.php script does not sanitise the p, e, d, and m parameters before using them in SQL queries. This makes it possible for an anonymous attacker to manipulate the values passed to these parameters to retrieve arbitrary data from the database. BlognPlus supports the storage of blog data using text files, MySQL, or PostgreSQL. These vulnerabilites are only applicable if database storage is used. The p and e parameters can be exploited regardless of the PHP magic_quotes_gpc setting, whereas the d, and m parameters are only exploitable if magic_quotes_gpc=Off As shown below, the SQL injection vulnerabilities can be exploited to retrieve the blog admin-user's password hash.
POC / Test Code
Example exploits to retrieve the blog admin-user's password hash were provided to the vendor.
Patch / Workaround
Update to version 2.5.6. Vendor's advisory here.
Disclosure Timeline
2008-06-28 - Vulnerability Discovered. |
| Contact |
| For further enquries, comments, suggestions or bug reports, simply email them to |