EDB-ID: 2751 CVE: 2006-5889 Author: CRAIG HEFFNER Type: WEBAPPS Platform: PHP Date: 2006-11-10 Vulnerability: SQL Injection Description: BrewBlogger does not properly sanitize the 'id=' parameter passed to printLog.php. Since each user entry contains an auto-incrementing ID number, it is possible to enumerate all user names and passwords stored in the 'users' database by iterating through every possible ID number. Vulnerable Code (truncated): - $colname_log = ((get_magic_quotes_gpc())) ? $_GET['id'] : addslashes($_GET['id']); - $query_log = sprintf("SELECT FROM brewing WHERE id = %s", $colname_log); - $Log = mysql_query($query_log, $brewing) or die(mysql_error()); Usage: This script will produce a URL which will reveal the user name and password for the specified ID. If no ID is specified, 2 is used (seems to be the usual ID for the first user). The user name will be listed as "Method:" under 'General Information', and the password will be listed as "Cost:". Examples: - ./brewblogger.pl www.beerblog.com 3 - ./brewblogger.pl www.mysite.com/beerblog Google Dork:** intext:"BrewBlogger for PHP"