[VIM] VERIFY Pluggedout Blog 1.9.9c exec.php SQL injection

Steven M. Christey coley at mitre.org
Mon Feb 6 18:14:25 EST 2006

downloaded 1.9.9c as referenced here:


I verified the SQL injection via source inspection.

In database.php, $entryid in db_sql_comment_add() is not escaped:

>function db_sql_comment_add($entryid,$name,$email,$url,$comment){
>	$name = mysql_escape_string(strip_tags($name));
>	$email = mysql_escape_string(strip_tags($email));
>	$url = mysql_escape_string(strip_tags($url));
>	$comment = mysql_escape_string(strip_tags($comment));
>	$sql = "INSERT INTO ".$db_prefix."comments (nEntryId,cName,cEMail,cURL,cComment,dAdded)"
>		." VALUES (".$entryid.",'".$name."','".$email."','".$url."','".$comment."',now())";

In exec.php:

>function comment_add($entryid,$name="",$email="",$url="",$comment=""){
>	$sql = db_sql_comment_add($entryid,$name,$email,$url,$comment);	

So, if we control the 1st argument to comment_add() we are set.

Later in exec.php:

>switch ($_GET["action"]){
>	case "comment_add":
>		$result = comment_add($_REQUEST["entryid"],$_REQUEST["name"],$_REQUEST["email"],$_REQUEST["url"],$_REQUEST["comment"]);

So we have $_REQUEST["entryid"] added unquoted into a SQL query.
Note: other code in the same file seems to use $_REQUEST["entryid"] as

- Steve

More information about the VIM mailing list