SQL injection bug found in TBSource.

A vulnerability found in the popular bittorrent tracker TBSource code allows an attacker to inject SQL queries and read secret information from the database.
The value of 'choice' passed to the script index.php is not properly sanitized. When a special tailored value is passed by an attacker, full reading access to the database is possible.
Some projects based in TBSource like TBDev and TorrentStrike have been found to be affected by the same vulnerability.

Bug discovered by Emiliano Scavuzzo

Relevant Pages

  • [Full-disclosure] Facebook Places private information leak
    ... A vulnerability was discovered in Facebook Places that could be exploited to ... consequences of rapid automatic checkins and geolocation spoofing. ... This could allow an attacker to: ... Stalk a user by creating a database of all checkins within a given area, ...
    (Full-Disclosure)
  • OpenBB 1.06 SQL Injection
    ... A vulnerability exists in OpenBB 1.06 that could allow an attacker to manipulate SQL ... As far as I know this vulnerability can only be exploited if the database server the ...
    (Bugtraq)
  • [Full-Disclosure] OpenBB 1.06 SQL Injection
    ... A vulnerability exists in OpenBB 1.06 that could allow an attacker to ... queries and obtain sensitive information from the database such as ...
    (Full-Disclosure)
  • Re: [Full-disclosure] Amiro.CMS <= 5.4.4 SQL inj
    ... vulnerability introduction operators database. ... An attacker can fill in the ...
    (Full-Disclosure)
  • [NT] Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (MS06-037)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution ... an attacker who successfully exploited this ... vulnerability could take complete control of the client workstation. ...
    (Securiteam)