CVE-2004-1570

Vulnerability

SQL injection vulnerability exists in bBlog versions 0.7.2 and 0.7.3. The $p array is not initialized before being passed to $bBlog->make_post_query() on line 30 of rss.php. In environments where register_globals is enabled, an attacker can inject arbitrary SQL commands via the p parameter from user input (URL, POST data, or cookies) [1].

Exploitation

An attacker needs only network access to the bBlog installation and the server must have register_globals enabled. By crafting a specially crafted request containing malicious SQL in the p parameter, the attacker can manipulate the database query. The exploit details were withheld at the maintainer's request, but the vulnerability is remotely exploitable without authentication [1].

Impact

Successful exploitation allows a remote attacker to execute arbitrary SQL commands, potentially leading to disclosure of sensitive data, including administrative credentials. This can result in full administrative access to the bBlog application, compromising the integrity and confidentiality of the blog and its data [1].

Mitigation

The issue is fixed in bBlog version 0.7.4. A patch for rss.php for version 0.7.3 is available from the vendor advisory [1]. Users should upgrade to 0.7.4 or apply the patch. Disabling register_globals in PHP configuration also mitigates the vulnerability.