[NEWS] TorrentTrader Multiple SQL Injection Vulnerabilities
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 24 Jun 2008 09:07:23 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
TorrentTrader Multiple SQL Injection Vulnerabilities
------------------------------------------------------------------------
SUMMARY
" <http://www.torrenttrader.org/> TorrentTrader is a feature packed and
highly customisable PHP/MySQL Based BitTorrent tracker. Featuring
intergrated forums, and plenty of administration options." Secunia
Research has discovered some vulnerabilities in TorrentTrader, which can
be exploited by malicious people and malicious users to conduct SQL
injection attacks.
DETAILS
Vulnerable Systems:
* TorrentTrader version 1.08 Classic Edition released before 2008-06-17
Immune Systems:
* TorrentTrader version 1.08 Classic Edition released on 2008-06-17
Multiple vulnerabilities have been discovered in TorrentTrader:
1) Input passed to the "email" and "wantusername" parameters in
account-signup.php is not properly sanitised before being used in SQL
queries. This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.
Successful exploitation of this vulnerability allows e.g. retrieval of
administrator password hashes, but requires that "magic_quotes_gpc" is
disabled and that the site is not configured as invite-only.
2) Input passed to the "receiver" parameter in account-inbox.php (when
"msg" is set) is not properly sanitised before being used in SQL queries.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL
code.
Successful exploitation of this vulnerability requires valid user
credentials and that "magic_quotes_gpc" is disabled.
Solution:
Update to TorrentTrader 1.08 Classic Edition downloaded on 2008-06-17 or
later.
Time Table:
10/06/2008: Contacted the vendor.
17/06/2008: Contacted the vendor again.
17/06/2008: Vendor asks for PoC.
17/06/2008: Sent PoC to the vendor.
17/06/2008: Vendor releases a fixed version.
18/06/2008: Public disclosure.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2428>
CVE-2008-2428
ADDITIONAL INFORMATION
The information has been provided by Secunia Research.
The original article can be found at:
<http://secunia.com/secunia_research/2008-15/>
http://secunia.com/secunia_research/2008-15/
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NEWS] Cisco Intrusion Prevention System Jumbo Frame Denial of Service
- Next by Date: [TOOL] Protowalk: Generic Protocol Fuzzer and Protocol Testing Tool
- Previous by thread: [NEWS] Cisco Intrusion Prevention System Jumbo Frame Denial of Service
- Next by thread: [TOOL] Protowalk: Generic Protocol Fuzzer and Protocol Testing Tool
- Index(es):
Relevant Pages
|
|
