SEO borad: SQL injection

ghc_at_ghc.ru
Date: 09/27/05

  • Next message: A. Ramos: "Nokia 7610, 3210 denial of service in OBEX."
    Date: 27 Sep 2005 05:25:35 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)  Product: SEO-Board
    Version: 1.02
    Author: Hristo Hristov
    URL: http://seo-board.com
    VULNERABILITY CLASS: SQL injection through cookie

    [PRODUCT DESCRIPTION]
    SEO-Board is a forum software that's fast, free, and search engine friendly.
    It is written in PHP and use MySQL database.

    [VULNERABILITY]
    Vulnerable script: admin.php

    --[code]--

    if (!isset($_COOKIE[$cookiename]))
    die('You must be logged as admin to access the admin panel');

    list($user_id, $user_pass_sha1) = unserialize(stripslashes($_COOKIE[$cookiename]));
    if ($user_id != 1)
    die('You must be logged as admin to access the admin panel');
    if (!is_numeric($user_id))
    die($lang['fatal_error']);
    $result = mysql_query("SELECT user_name FROM {$dbpref}users WHERE user_id='$user_id' AND

    user_pass='$user_pass_sha1'");
    if (mysql_num_rows($result) != 1)
    die($lang['fatal_error']);
    else
    $user_name = mysql_result($result, 0);
    $admin_panel_link = eval(get_template('adminpanellink'));
    --[/code]--

    IMPACT:
    An attacker can inject SQL statement through cookie. As result anybody can gain administrative privelegue.

    [BUGFIX]
    Upgrade to 1.03 version.

    [CREDITS]
    RST/GHC
    rst.void.ru
    www.ghc.ru


  • Next message: A. Ramos: "Nokia 7610, 3210 denial of service in OBEX."