Easy Blog by JM LLC – Multiple Vulnerabilities

• Exploit Database
• 119 阅读

• 作者： Sp3ctrecore
  日期： 2013-07-27
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/27129/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72

  Dear Offensive Security, I have discovered some vulnerabilities in Easy Blog, developed by JM LLC.   Best regards, Sp3ctrecore     ########## ADVISORY ##########     ============================================== Easy Blog by JM LLC - Multiple Vulnerabilities ==============================================   Software................: Easy Blog Software link...........: http://www.jmagness.com/download/Easy_Blog.zip Vendor..................: JM LLC Vendor homepage.........: http://www.jmagness.com   Exploit author..........: Sp3ctrecore Contact.................: sp3ctrecore[at]gmail[dot]com     -------- OVERVIEW --------   Easy Blog is affected by multiple vulnerabilities.     ------------------- DISCLOSURE TIMELINE -------------------   04/07/2013 -- Multiple vulnerabilities discovered and reported to the vendor. 19/07/2013 -- The vendor confirmed the vulnerabilities, but has no time to fix them. 24/07/2013 -- Public disclosure.     --------------- VULNERABILITIES ---------------   [01] SHELL UPLOAD   The image upload function in add.php allows unrestricted file upload. An attacker may upload a shell gaining unauthorized access to the system.     [02] MULTIPLE SQL INJECTIONS   I. add.php - filename parameter (POST request) An attacker may upload a file with a crafted name (e.g. "file.txt',(select version()))-- -") injecting SQL code. The content is readable in the homepage.   II. edit.php - filename parameter (POST request) An attacker may upload a file with a crafted name (e.g. "file.txt',POST=(select version()) WHERE id=1-- -") injecting SQL code. The content is readable in the homepage.     [03] MULTIPLE CROSS-SITE SCRIPTING   I. add.php - title parameter (POST request): stored XSS. II.add.php - keywords parameter (POST request): stored XSS. III. add.php - description parameter (POST request): stored XSS. IV.add.php - slug parameter (POST request): reflected XSS.