|
[>>] Writer=92s Block SQL Injection Vulnerabilities [<<]
[x] Vendor Information
"If the written word is the wheel, then Writer=92s Block is the sweet, sweet fossil fuel in the
engine that keeps it spinning. A free, flexible, elegant Content Management System that helps
you maintain any web site you want, at any size you want, with no hassle and no restrictions.
In fact, it=92s running this entire site right now."
http://www.desiquintans.com
[x] Attack Information
The variable "PostID" can be filled with malicious content to execute SQL code:
----
permalink.php, line 212:
$getpost = @mysql_query("SELECT Title, Timestamp, Body, PostCat1, PostCat2, PostCat3, PostCat4, Author FROM ".POSTS_TBL." WHERE
PostID='".$_GET['PostID']."' AND Draft=0");
----
permalink.php, line 298:
$prevlink = mysql_query("SELECT PostID FROM ".POSTS_TBL." WHERE PostID<".$_GET['PostID']." AND Draft=0 ORDER BY Timestamp DESC LIMIT 1");
----
permalink.php, line 304:
$nextlink = mysql_query("SELECT PostID FROM ".POSTS_TBL." WHERE PostID>".$_GET['PostID']." AND Draft=0 ORDER BY Timestamp ASC LIMIT 1");
----
[x] Exploit
The issue can be exploited through a web browser.
[x] Patch
Just add an intval():
----
permalink.php, line 212:
$getpost = @mysql_query("SELECT Title, Timestamp, Body, PostCat1, PostCat2, PostCat3, PostCat4, Author FROM ".POSTS_TBL." WHERE
PostID='".intval($_GET['PostID'])."' AND Draft=0");
----
permalink.php, line 298:
$prevlink = mysql_query("SELECT PostID FROM ".POSTS_TBL." WHERE PostID<".intval($_GET['PostID'])." AND Draft=0 ORDER BY Timestamp DESC LIMIT 1");
----
permalink.php, line 304:
$nextlink = mysql_query("SELECT PostID FROM ".POSTS_TBL." WHERE PostID>".intval($_GET['PostID'])." AND Draft=0 ORDER BY Timestamp ASC LIMIT 1");
----
[x] Credits
The vulnerability has been discovered by katharsis -
www.katharsis.x2.to