CVE-2007-3974
published 2007-07-25CVE-2007-3974: admin/ajoutaut.php in JBlog 1.0 does not require authentication, which allows remote attackers to create arbitrary accounts via modified mot and droit…
PriorityP352high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
3.67%
88.3th percentile
admin/ajoutaut.php in JBlog 1.0 does not require authentication, which allows remote attackers to create arbitrary accounts via modified mot and droit parameters.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jblog | jblog | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP GET requests to index.php containing SQL UNION injection patterns targeting the 'id' parameter, specifically selecting from the 'auteur' table. ↗
- →Alert on unauthenticated POST requests to admin/ajoutaut.php with 'mot' and 'droit' parameters, indicating an attempt to create unauthorized admin accounts. ↗
- →Detect manipulation of the 'theme' cookie value in JBlog requests, which may indicate XSS/cookie injection attempts. ↗
- →Use Google dork to identify exposed JBlog 1.0 instances as potential targets: search for the string 'propulsé par JBlog'. ↗
- →Flag requests to admin/supauteur.php with a 'cat' parameter, which the exploit uses to delete admin accounts after privilege escalation. ↗
- ·The exploit targets port 80 (plain HTTP) only; HTTPS deployments would not be reached by this specific exploit script as written. ↗
- ·The SQL injection payload specifically extracts credentials from the 'auteur' table where id=1, meaning only the first registered user (typically admin) is targeted by the default exploit. ↗
- ·Newly created accounts via the privilege escalation exploit receive a default password of 'admin' (MD5: e10adc3949ba59abbe56e057f20f883e), which should be checked during incident response. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course UPDATE
suricata·2010-07-30·CVSS 7.5
CVE-2007-2902 [HIGH] ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course UPDATE
ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course UPDATE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course UPDATE"; flow:established,to_server; http.uri; content:"/main/auth/my_progress.php?"; nocase; content:"course="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-2902; reference:url,www.milw0rm.com/exploits/3974; classtype:web-application-attack; sid:2004070; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access,
Suricata
ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course DELETE
suricata·2010-07-30·CVSS 7.5
CVE-2007-2902 [HIGH] ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course DELETE
ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course DELETE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course DELETE"; flow:established,to_server; http.uri; content:"/main/auth/my_progress.php?"; nocase; content:"course="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2902; reference:url,www.milw0rm.com/exploits/3974; classtype:web-application-attack; sid:2004068; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access
Suricata
ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course ASCII
suricata·2010-07-30·CVSS 7.5
CVE-2007-2902 [HIGH] ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course ASCII
ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course ASCII
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course ASCII"; flow:established,to_server; http.uri; content:"/main/auth/my_progress.php?"; nocase; content:"course="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2902; reference:url,www.milw0rm.com/exploits/3974; classtype:web-application-attack; sid:2004069; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access
Suricata
ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course INSERT
suricata·2010-07-30·CVSS 7.5
CVE-2007-2902 [HIGH] ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course INSERT
ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course INSERT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course INSERT"; flow:established,to_server; http.uri; content:"/main/auth/my_progress.php?"; nocase; content:"course="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-2902; reference:url,www.milw0rm.com/exploits/3974; classtype:web-application-attack; sid:2004067; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access
Suricata
ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-2902 [HIGH] ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course SELECT
ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course SELECT"; flow:established,to_server; http.uri; content:"/main/auth/my_progress.php?"; nocase; content:"course="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2902; reference:url,www.milw0rm.com/exploits/3974; classtype:web-application-attack; sid:2004065; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access
Suricata
ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course UNION SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-2902 [HIGH] ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course UNION SELECT
ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course UNION SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course UNION SELECT"; flow:established,to_server; http.uri; content:"/main/auth/my_progress.php?"; nocase; content:"course="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2902; reference:url,www.milw0rm.com/exploits/3974; classtype:web-application-attack; sid:2004066; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name I
Exploit-DB
JBlog 1.0 - 'index.php?id' SQL Injection
exploitdb·2007-09-14
CVE-2007-4919 JBlog 1.0 - 'index.php?id' SQL Injection
JBlog 1.0 - 'index.php?id' SQL Injection
---
##################################################
# Script....................................: JBlog ver 1.0
# Script Site...........................: http://www.jmuller.net/jblog/index.php
# Vulnerability........................: Remote SQL injection Exploit
# Access..................................: Remote
# level......................................: Dangerous
# Author..................................: S4mi
# Contact.................................: S4mi[at]LinuxMail.org
##################################################
#Special Greetz to : Simo64, DrackaNz, Coder212, Iss4m, HarDose, r0_0t, ddx39 .....
#
##################################################
#Vuln :
#http://127.0.0.1/jblog/index.php?id=[SQL]
#http://127.0.0.1/jblog/admin
Exploit-DB
JBlog 1.0 - Create / Delete Admin Authentication Bypass
exploitdb·2007-07-21
CVE-2007-4919 JBlog 1.0 - Create / Delete Admin Authentication Bypass
JBlog 1.0 - Create / Delete Admin Authentication Bypass
---
[xss Here]&pcomm=com
cookies Manipulation:
The POST variable 'search' in /jblog/recherche.php also The Cookie variable 'theme' is affected and can be set to :
also we can do this :
'>
or :
'>
This is a small exemple of Inject Cookie Xploit (Cookie Manipulation)
Inject Cookie Xploit By S4mi
function JBlogxpl()
{
document.xploit.action=document.xploit.victim.value;
document.xploit.submit();
}
document.location="javascript: JBlogxpl()"
Remote Privilege Escalation "Creat New Admin Xploit" By S4mi :
-->
JBlog 1.0 -- Remote Privilege Escalation (Creat admin sploit) -- By S4mi
function JBlogxpl() {
if (document.xploit.victim.value=="") {
alert("Please enter target!");
return false;
}
{
xploit.action="http://"+docum
No writeups or analysis indexed.
http://osvdb.org/38561http://secunia.com/advisories/26165http://securityreason.com/securityalert/2919http://www.securityfocus.com/archive/1/474320/100/0/threadedhttp://www.securityfocus.com/bid/24991http://www.vupen.com/english/advisories/2007/2611https://exchange.xforce.ibmcloud.com/vulnerabilities/35550https://www.exploit-db.com/exploits/4211http://osvdb.org/38561http://secunia.com/advisories/26165http://securityreason.com/securityalert/2919http://www.securityfocus.com/archive/1/474320/100/0/threadedhttp://www.securityfocus.com/bid/24991http://www.vupen.com/english/advisories/2007/2611https://exchange.xforce.ibmcloud.com/vulnerabilities/35550https://www.exploit-db.com/exploits/4211
2007-07-25
Published