Bug: Sql injection in SMF [Admin section] ( Ascii Version )

Search:
WLB2

Sql injection in SMF [Admin section]

Published
Credit
Risk
2006.09.08
Omid
Medium
CWE
CVE
Local
Remote
CWE-89
CVE-2006-4564
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
5.1/10
6.4/10
4.9/10
Exploit range
Attack complexity
Authentication
Remote
High
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

Hi,
There is a sql injection in SMF 1.1 RC3, in admin section :
When an administrator is going to add a new board, the "cur_cat" parameter
is not checked properly :

File /Sources/ManageBoards.php, Line 609 :
:: // Create a new board...
:: if (isset($_POST['add']))
:: {
:: // New boards by default go to the bottom of the category.
:: if (empty($_POST['new_cat']))
<span class="quotelev2">>> $boardOptions['target_category'] = $_POST['cur_cat'];
</span>
:: if (!isset($boardOptions['move_to']))
:: $boardOptions['move_to'] = 'bottom';
::
<span class="quotelev2">>> createBoard($boardOptions);
</span>
:: }

And in "createBoard()" function :

File /Sources/Subs-Boards.php, Line 1095 :
:: // Insert a board, the settings are dealt with later.
:: db_query("
:: INSERT INTO {$db_prefix}boards
:: (ID_CAT, name, description, boardOrder, memberGroups)
<span class="quotelev2">>> VALUES ($boardOptions[target_category],
SUBSTRING('$boardOptions[board_name]', 1, 255), '', 0, '-1,0')", __FILE__, __LINE__);
</span>
This is in administration section, so it doesnt seem to be critical.

- Omid

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version