blur6ex Local File Inclusion and SQL injection . A blog and simple content engine. Supports many features found in larger systems such as CSS layouts, RSS feeds, comments, trackbacks, categories, archives, drafts, searching MMS posting, and a multi-user permissions system. Still in development and a little rough around the edges. The codebase is hackable, though, and hobbyists or those knowing a little PHP will find it quite customizable. http://www.blursoft.com Credit: The information has been provided by Hamid Ebadi ( Hamid Network Security Team) : admin[at]hamid[dot]ir . The original article can be found at : http://www.hamid.ir/security Vulnerable Systems: Version: 0.3.462 (and below) Local file inclusion : Input passed to the "shard" parameter in "index.php" isn't properly verified, before it is used to include files. This can be exploited to include/see arbitrary files from local resources. The following URL will cause local file inclusion: http://localhost/blur6ex-0.3.462/index.php?shard=/../../../../../[local-file]%00 Successful exploitation requires that "magic_quotes_gpc" is disabled. SQL injection : Input passed to the "searchterm" and "ID" parameters in "index.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Cross-Site Scripting (XSS : Input passed to the "shard" and "errormsg" parameter in index.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. http://localhost/blur6ex-0.3.462/index.php?shard=<script>alert(document.cookie)</script> http://localhost/blur6ex-0.3.462/index.php?shard=login&action=g_error&errormsg=<script>alert(document.cookie)</script> __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
