SEO borad: SQL injection

ghc_at_ghc.ru
Date: 09/27/05

  • Next message: A. Ramos: "Nokia 7610, 3210 denial of service in OBEX."
    Date: 27 Sep 2005 05:25:35 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)  Product: SEO-Board
    Version: 1.02
    Author: Hristo Hristov
    URL: http://seo-board.com
    VULNERABILITY CLASS: SQL injection through cookie

    [PRODUCT DESCRIPTION]
    SEO-Board is a forum software that's fast, free, and search engine friendly.
    It is written in PHP and use MySQL database.

    [VULNERABILITY]
    Vulnerable script: admin.php

    --[code]--

    if (!isset($_COOKIE[$cookiename]))
    die('You must be logged as admin to access the admin panel');

    list($user_id, $user_pass_sha1) = unserialize(stripslashes($_COOKIE[$cookiename]));
    if ($user_id != 1)
    die('You must be logged as admin to access the admin panel');
    if (!is_numeric($user_id))
    die($lang['fatal_error']);
    $result = mysql_query("SELECT user_name FROM {$dbpref}users WHERE user_id='$user_id' AND

    user_pass='$user_pass_sha1'");
    if (mysql_num_rows($result) != 1)
    die($lang['fatal_error']);
    else
    $user_name = mysql_result($result, 0);
    $admin_panel_link = eval(get_template('adminpanellink'));
    --[/code]--

    IMPACT:
    An attacker can inject SQL statement through cookie. As result anybody can gain administrative privelegue.

    [BUGFIX]
    Upgrade to 1.03 version.

    [CREDITS]
    RST/GHC
    rst.void.ru
    www.ghc.ru


  • Next message: A. Ramos: "Nokia 7610, 3210 denial of service in OBEX."

    Relevant Pages

    • Pixel Post Multiple Vulnerabilities
      ... XSS, and SQL Injection providing full access to admin area, providing upload any type of files capabilities.. ... With this vulnerability we can fetch almost any data from the database, ... You can perform a XSS attack when commenting a post because the comment, the name, the url, and nor the email are properly sanitized. ...
      (Bugtraq)
    • Multiple paFileDB Vulnerabilities
      ... paFileDB is a popular open source web application offered by ... There are a number of SQL Injection vulnerabilities in paFileDB, ... use UNION SELECT to bypass admin authentication! ... Last but not least there is a SQL Injection vulnerability in search.php ...
      (Bugtraq)
    • [Full-disclosure] Invision Power Board <= 3.0.4 Local PHP File Inclusion and SQL Injection
      ... Invision Power Board <= 3.0.4 Local PHP File Inclusion and SQL Injection ... Invision Power Board (IPB) is a professional forum system that has ... LOCAL FILE INCLUSION VULNERABILITY ...
      (Full-Disclosure)
    • Invision Power Board <= 3.0.4 Local PHP File Inclusion and SQL Injection
      ... Invision Power Board <= 3.0.4 Local PHP File Inclusion and SQL Injection ... Invision Power Board (IPB) is a professional forum system that has been built ... LOCAL FILE INCLUSION VULNERABILITY ... It is possible to include an arbitrary php file stored on the server in any ...
      (Bugtraq)
    • [Full-disclosure] Dell Kace 1000 SMA 5.4.742 - SQL Injection Vulnerabilities
      ... Dell Kace 1000 SMA 5.4.742 - SQL Injection Vulnerabilities ... The KACE Management Appliance also provides ... The Vulnerability Laboratory Research Team discovered a SQL Injection web vulnerabilities in Dell Kace K1000, ...
      (Full-Disclosure)