Published:2008/06/17  Last Updated:2008/06/19

BlognPlus SQL injection vulnerability


BlognPlus contains a SQL injection vulnerability.

Products Affected

  • BlognPlus v2.5.4 and earlier for MySQL or PostgreSQL
According to the vendor, BlognPlus for Text is not affected by this vulnerability.


BlognPlus from R-ONE Computer is software for creating blogs. BlognPlus for MySQL and for PostgreSQL contain a SQL injection vulnerability.
According to the vendor, BlognPlus for Text is not affected by this vulnerability since it does not use a database.


A remote attacker could obtain administrative privileges for blogs created using BlognPlus.


Update the Software
Apply the latest updates provided by the vendor.

Vendor Status

Vendor Status Last Update Vendor Notes
Blogn Vulnerable 2008/06/17


JPCERT/CC Addendum

The vendor has provided the latest information on this problem on May 28 2008.

Vulnerability Analysis by JPCERT/CC

Analyzed on 2008.06.17

Measures Conditions Severity
Access Required Routed - can be attacked over the Internet using packets
  • High
Authentication None - anonymous or no authentication (IP addresses do not count)
  • High
User Interaction Required None - the vulnerability can be exploited without an honest user taking any action
  • High
Exploit Complexity Low-Medium - some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls)
  • Medium-High

Description of each analysis measures


Hideyuki Naito reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendor under Information Security Early Warning Partnership.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2008-2819
JVN iPedia JVNDB-2008-000030

Update History