Tuesday, January 11, 2005
b2Evolution 'title' SQL Injection
Summary
b2evolution is "probably the most comprehensive blog engine you can find".An SQL injection vulnerability has been found in b2evolution's 'title' parameter, allowing a remote attacker to cause the program to include arbitrary SQL statements inside its existing statement.
Credit:The information has been provided by r0ut3r.
Details
Exploit:The following URL will trigger the vulnerability:
Workaround:
1: manual edit:
Open the file /blogs/b2evocore/_class_itemlist.php and find the following code around lines 197-201:
Code:
// if a post urltitle is specified, load that post
if( !empty( $title ) ) { $where .= " AND post_urltitle = '$title'"; }
Replace these lines like this:
Code:
// if a post urltitle is specified, load that post
if( !empty( $title ) ) { $where .= ' AND post_urltitle = '.$DB->quote($title); }
2: patch files
Download the following file: b2evo-0-9-0-11-fix.zip , unzip it and replace the two enclosed files in in the blogs/b2evocore folder. This second method also fixes a small harmless bug that would cause an error when testing the SQL injection issue is fixed.
Source (bug) : Securiteam
Source (woraround): b2evolution forums.
b2evolution is "probably the most comprehensive blog engine you can find".An SQL injection vulnerability has been found in b2evolution's 'title' parameter, allowing a remote attacker to cause the program to include arbitrary SQL statements inside its existing statement.
Credit:The information has been provided by r0ut3r.
Details
Exploit:The following URL will trigger the vulnerability:
http://vulnerable/index.php?blog=1&title='&more=1&c=1&tb=1&pb=1
Workaround:
1: manual edit:
Open the file /blogs/b2evocore/_class_itemlist.php and find the following code around lines 197-201:
Code:
// if a post urltitle is specified, load that post
if( !empty( $title ) ) { $where .= " AND post_urltitle = '$title'"; }
Replace these lines like this:
Code:
// if a post urltitle is specified, load that post
if( !empty( $title ) ) { $where .= ' AND post_urltitle = '.$DB->quote($title); }
2: patch files
Download the following file: b2evo-0-9-0-11-fix.zip , unzip it and replace the two enclosed files in in the blogs/b2evocore folder. This second method also fixes a small harmless bug that would cause an error when testing the SQL injection issue is fixed.
Source (bug) : Securiteam
Source (woraround): b2evolution forums.