Servers.co.nz Security Advisory SCN200409-1 Available in HTML format at http://www.servers.co.nz/security/SCN200409-1.php ------------------------------------------------------------ SQL Injection vulnerability in bBlog 0.7.3 Author: James McGlinn, Servers.co.nz Ltd Discovery Date: September 28, 2004 Package: bBlog Versions Affected: 0.7.2, 0.7.3 Severity: Severe - a remote user can gain administrative privileges. ------------------------------------------------------------ Problem: There is an SQL Injection vulnerability in versions of bBlog prior to 0.7.3, which can be exploited to gain administrative access if register_globals is enabled on the web server. Introduction: bBlog is a blogging system written in PHP and released under the GPL. It is used by thousands of bloggers worldwide and has features not found on other blogging systems including advanced comment spam prevention and threaded comments. Discussion: The array $p is not initialised before being populated and passed to $bBlog->make_post_query() on line 30 of rss.php. In an environment where register_globals is enabled, $p can be introduced to the script with unfiltered elements from user input. Using a specially crafted URL, POST data or cookie a remote user can gain access to the admin user's access credentials. Exploit withheld at project maintainer's request. Solution: This issue is fixed as of version 0.7.4. A patch for rss.php of version 0.7.3 is available at the URL below: http://www.servers.co.nz/security/patches/SCN200409-1/rss.php-patch.txt ------------------------------------------------------------ ABOUT SERVERS.CO.NZ LTD Servers.co.nz are leaders in the design, implementation & auditing of effective online information systems for SMEs. Phone: (NZ) 0800 4 SERVERS ------------------------------------------------------------ James McGlinn Project Manager BCom, BSc, Zend Certified Engineer (PHP) Servers.co.nz Ltd 68 Shortland St, Auckland PO Box 3688 Shortland St, Auckland, New Zealand Phone: 0800 4 SERVERS Fax: +64 9 358 5187