J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1545
    posted: 11/19/09
  • NSM Daily Update #1545
    posted: 11/19/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1545
    posted: 11/19/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/19/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/19/09

Title: Psychoblogger Multiple SQL Injection Vulnerabilities

Severity: HIGH

Description:

Psychoblogger is a web-based software application that is used to create web logs. It is written in PHP and employs MySQL database.

Multiple SQL injection vulnerabilities have been identified in the software that may allow an attacker to influence SQL query logic to disclose sensitive information that could be used to gain unauthorized access.

The following specific issues have been reported:

An SQL injection vulnerability has been reported in 'shouts.php'. This issue presents itself due to insufficient sanitization of user-supplied data via the 'shoutlimit' parameter. Although unconfirmed this issue could be used to harvest usernames and passwords of legitimate users of a vulnerable site.

An SQL injection vulnerability is reported to exist in the 'comments.php' script. This issue presents itself due to insufficient sanitization of user-supplied data via the 'blogid' parameter. It has been reported that this issue may be exploited via an HTTP post request to harvest encrypted passwords from the database, that could be exposed by brute-forcing.

Another SQL injection vulnerability may exist in the 'category.php' script. This issue could allow an attacker to gain access to author passwords, which could be used to launch further attacks against the vulnerable system.

The cause of these issues is insufficient sanitization of user-supplied data. A malicious user may influence database queries in order to view or modify sensitive information potentially compromising the software or the database.

Psychoblogger version PB-beta1 has been reported to be prone to these issues, however, other versions could be affected as well.

Affected Products:

  • Psychoblogger Psychoblogger 0.0.0PB-beta1

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.