Patch for Yogurt writemessage.php original Parameter SQL Injection

Saturday, June 27, 2009
###################################
Patch for Yogurt writemessage.php
original Parameter SQL Injection
vendor url:http://sourceforge.net/tracker/?group_id=112452
####################################

This is a manual fix for the last discovered sql
injection vulnerability in yogurt social network


#########################
vulnerability references:
#########################

http://osvdb.org/show/osvdb/55098
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-2034
http://www.milw0rm.com/exploits/8932

####################
SQL injection PoC
####################

http://localhost/yogurt/system/writemessage.php?original=
-1+union+select+1,concat_ws(0x3a,username,password),3,4,5,
6,7,8+from+users--

###############
Specific vendor
###############

http://sourceforge.net/tracker/?func=detail&aid=
2813318&group_id=112452&atid=663715

###########
MANUAL FIX
###########

open writemessage.php and look this code =>

Line 79: if (isset($_GET['original']))
Line 81: $rs = mysql_query("SELECT * FROM messages WHERE id=" .
$_GET['original'], $db)

###############
change
################

Line 81: $rs = mysql_query("SELECT * FROM messages WHERE id=" .
intval($_GET['original']), $db)

####################€nd ########################

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...