[VIM] The parameter in e-moBLOG is "monthy" [sic]
Steven M. Christey
coley at mitre.org
Wed Jan 25 17:51:06 EST 2006
Re: CVE-2006-0403
Various VDBs are mis-reading evuln's original report for the "monthly"
parameter but, in fact, it's "monthy" (probably short for
"month/year")
A grep of index.php in e-moBLOG 1.3 demonstrates the point and also
yields a source verification:
>if (BLOG_LIMIT != 0 && (!$monthy || $monthy == "")) {
...
>} else if ($monthy || $monthy != "") {
...
> $wheremonth = "WHERE monthy = '$monthy'";
...
> $monthy = date("Ym");
...
> $wheremonth = "WHERE monthy = '$monthy'";
...
> echo "<a href=\"" . BLOG_URL . "index.php?monthy=" . $posts->monthy . "#" . $posts->id . "\" title=\"" . $lang['link'] . "\">\n"
and to show the SQL injection:
> $result = execRequest("SELECT * FROM blogposts $wheremonth ORDER BY date DESC $blog_limit", $connection);
and execRequest() (in includes/functions.php) has the requisite call
to mysql_query() .
- Steve
More information about the VIM
mailing list