Remote SQL injections

[spam1@…]

MvBlog suffers from multiple remote SQL injections in the PHP code. Data gathered from the client-side is not verified and properly escaped before the SQL queries are built and executed. This can allow mallicious users (both log authors and remote users) to inject various different SQL code into the queries which in turn are executed.

Attacks, in typical SQL injection scenarios, allow attackers to delete or overwrite all data in the database, send out spam or gain escalated privileges in the system. One of the most visible and dangerous examples is in the comment posting code, but SQL injections can be found at various places.

[michiel]

Thanks. I'm now walking through the code, putting preg_quote and sprintf's in place All other work is stopped till this is resolved.

[spam1@…]

You may want to put this ticket into non-disclosure mode, if that's possible, before advisory sites pick it up while there isn't a vendor provided patch available yet.

[michiel]

This has been adressed in the public interface.
The admin interface will be done tomorrow, but this is less critical (still critical, but can be fixed tomorrow) because an author has to login and do it by purpose. All the author can do with this is kill their own blog. Shouldn't be something happening, but we have to make sure it cannot happen

For the fix, see [105] [106] [107] [108] [109] [110] [111] [112]

See also ticket #55

[michiel]

Tickets cannot be set to non-disclosure mode :(

I'm posting a ticket on trac's website now.

[michiel]

(In [113]) sanity checks for the login screen

Re #54

[michiel]

(In [114]) Remember me to remove old code please

Re #54

[michiel]

(In [115]) Fix a lot of possible sql-injections.

Re #54

[michiel]

(In [118]) Fix last sql-injections we can find. Fixed some XSS attacks in the backend.

Fixes #54, Re #55

[Url]

50 Inches Rear Projection Dlp Hdtv pergo flooring Magnavox Tv Vcr Dvd mannington flooring Grand Wega 3lcd Projection Tv Polaroid Lcd Hdtv 1080p Dlp Tv bruce laminate flooring kahrs Lcd Tv Olevia Panasonic Rear Projection Hdtv bruce hardwood flooring how to clean ceramic tile 37 Inch Wide Screen Hd Ready Lcd Tv travertine tile 42 Plasma Widescreen Edtv bruce flooring Anti Glare Filters Pioneer Elite Plasma Sony Wega Lcd 60 Inches

[Home]

phentermine online pharmacy split air conditioner phentermine prescription online panasonic compact fluorescent lighting fixtures buy cheap phentermine haier air conditioner about phentermine phentermine diet discount phentermine tiffany floor lamp small room portable air conditioner residential portable air conditioner air conditioner filters hurricane lamp friedrich air conditioner adipex diet phentermine pill halogen lamp phentermine now purchase phentermine phentermine on line power conditioner car air conditioner recharge diet pill phentermine victorian lamp phentermine for sale

[Main]

lamp tiffany small room portable air conditioner kerosene lamp contemporary table lamp wireless motion sensors lighting buy discount tramadol central air conditioner ratings fragrance for women hugo boss fragrance cheapest tramadol fiber optics lamp wholesale fragrance oils phentermine online pharmacy glass lamp shades online tramadol vanity lighting tiffany style lamp swag lamp givenchy fragrance antique lighting fixture air conditioner review mens fragrance 1 piano lamp vanity lighting tramadol sales

[Go]

calvin klein perfume christian dior perfume liz claiborne perfume versace perfume naomi campbell mystery perfume wholesale designer perfume ultima ii perfume dana perfume paris perfume revlon perfume fendi perfume wholesale perfume bottles anne klein perfume shalimar perfume perfume discount joy perfume chanel chance perfume perfume dessert discount jessica simpson perfume chrome azzaro wholesale designer perfume armani perfume realm perfume egyptian perfume bottles perfume estee lauder valentino perfume perfume estee lauder ellen tracy perfume revlon perfume paris hilton perfume michael kors perfume

[spam1@…]

I've been receiving spam from MvBlog's Trac bugtracker, so I'm closing this email address (spam1@…). If you need to reach me you can find my email address at http://www.electricmonk.nl/index.php?page=Contact