Info

Disclosure

Apr 24, 2005

Discovery

Apr 22, 2005

Dates

Exploit

Apr 24, 2005

Solution

Unknown

Description

bBlog contains a flaw that may allow an attacker to inject arbitrary SQL queries. The issue is due to the 'postid' variable in the index.php script not being properly sanitized and may allow an attacker to inject or manipulate SQL queries.

Classification

Location: Remote/Network Access Required
Attack Type: Information Disclosure, Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity
Exploit: Exploit Available
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Upgrade to version 0.7.6 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Eaden McKee	BBLog	0.7.4
		0.7.5

References

Security Tracker: 1013811
Related OSVDB ID: 15754 15755
CVE ID: 2005-1310 (see also: NVD)
Vendor Specific News/Changelog Entry: http://bblog.com/bugs/index.php?do=details&id=67
http://sourceforge.net/tracker/index.php?func=detail&aid=1188735&group_id=81992&a ......
http://www.bblog.com/wiki/index.php/Change_Log
Vendor URL: http://www.bblog.com/

Credit

security curmudgeon - jerichoattrition.org - attrition.org

Direct URL: http://osvdb.org/36218

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Eaden McKee

BBLog

References

Credit