[UNIX] OpenBB Forums Vulnerable to SQL Injection
support_at_securiteam.com
Date: 04/28/03
- Previous message: support_at_securiteam.com: "[EXPL] PoPToP PPTP Server Remote Exploit Code Released"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 28 Apr 2003 16:38:33 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
In the US?
Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!
Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -
OpenBB Forums Vulnerable to SQL Injection
------------------------------------------------------------------------
SUMMARY
<http://www.openbb.co.uk/> OpenBB is "a forum engine written in the PHP
language that uses MySQL database as its back-end". Multiple SQL injection
vulnerabilities have been discovered in the product allowing remote
attackers to cause the product to execute arbitrary SQL statements.
DETAILS
Vulnerable systems:
* OpenBB forums version 1.1.0
It is possible, as in other similar cases of SQL injection, to extract
information from database via these vulnerabilities. If a vulnerable host
is using MySQL 3 we are required to use the LIKE method(*). However, if
MySQL's version 4 is used we are allowed to use UNION, which makes the
vulnerability easier to exploit.
To exploit this vulnerability only need to add a extra space (or %20)
behind the number, followed by our SQL statement.
Examples:
http://vulnerable/index.php?CID=1 <something>
SELECT guest, forumid, title, lastthread, lastposter, lastposterid,
lastthreadid, lastpost, moderators, description, type, postcount,
threadcount, forumkey FROM obb_forum_display WHERE parent = 3 <something>
ORDER BY displayorder
http://vulnerable/board.php?FID=2 <something>
SELECT title, threadcount, type, hidden_topics, forumkey FROM
obb_forum_display WHERE forumid = 2 <something>
http://vulnerable/member.php?action=profile&UID=1 <something>
SELECT * FROM obb_customvalues v INNER JOIN obb_custompermis p ON
p.fieldid = v.fieldid INNER JOIN obb_customfields f on f.fieldid=v.fieldid
WHERE v.userid=1 <something> AND p.canviewothers='t' AND p.groupid='0'
ADDITIONAL INFORMATION
The information has been provided by <mailto:ripe@7a69ezine.org> Albert
Puigsech Galicia.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support_at_securiteam.com: "[EXPL] PoPToP PPTP Server Remote Exploit Code Released"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
