myBloggie 2.1.6 Multiple Remote SQL Injection Vulnerabilities

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : myBloggie 2.1.6 Multiple Remote SQL Injection Vulnerabilities
# Published : 2008-06-30
# Author : Jesper Jurcenoks
# Previous Title : Catviz 0.4.0 beta1 Multiple Remote SQL Injection Vulnerabilities
# Next Title : AShop Deluxe 4.x (catalogue.php cat) Remote SQL Injection Exploit

netVigilance Security Advisory #40

myBloggie version 2.1.6 Multiple SQL Injection Vulnerability
Description:
myBloggie (http://mywebland.com/mybloggie/) is considered one of the 
most simple, user-friendliest yet packed with features Weblog system 
available to date. Built using PHP & mySQL, web most popular scripting 
language & database system enable myBloggie to be installed in any 
webservers.
A security problem in the product allows attackers to commit SQL injection.
External References:
Mitre CVE: CVE-2007-1899 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1899
NVD NIST: CVE-2007-1899 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1899
OSVDB:

Summary:
myBloggie is weblog system built using PHP & mySQL, the webs most 
popular scripting language & database system which enable myBloggie to 
be installed in any webserver.

Successful exploitation requires PHP magic_quotes_gpc set to Off and 
register_globals set to a