WWWThread RC 3 MultBugs

2006.04.19
Credit: D3vil-0x1 | Devil-00
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2006-1958
CWE: CWE-Other


CVSS Base Score: 6.4/10
Impact Subscore: 4.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

// --- WWWThread RC 3 MultBugs --- // * D3vil-0x1 | Devil-00 * www.securitygurus.net * Gr33tz - HACKERS PAL | n0m3rcy | - & All Others << i forgot them :)) //---------------------------------// //---------------------------------// [ Bug 1 ] //---------------------------------// // File name :- register.php // Bug :- Remote [ _COKKIE['forumreferrer] ] SQL Injection /* Code // if(isset($_COOKIE["forumreferrer"])) { $referral_id = $_COOKIE["forumreferrer"]; $result = $db->query('SELECT referral_count FROM '.$db->prefix.'users WHERE id='.$referral_id) or error(mysql_error(), __FILE__, __LINE__, $db->error()); list($referral_val) = $db->fetch_row($result); $rval = $referral_val[0] + 1; $db->query('UPDATE '.$db->prefix.'users SET referral_count='. $rval . ' WHERE id='.$ referral_id) or error(mysql_error(), __FILE__, __LINE__, $db->error()); } // */ Fix :- /* $referral_id = intval($_COOKIE["forumreferrer"]); */ //---------------------------------// //---------------------------------// //---------------------------------// //---------------------------------// //---------------------------------// //---------------------------------// //---------------------------------// //---------------------------------// //---------------------------------// [ Bug 2 ] //---------------------------------// // File name :- message_list.php // Bug :- Remote SQL Injection /* Code if( isset($_POST['delete_messages']) || isset($_POST['delete_messages_comply']) ) { if( isset($_POST['delete_messages_comply']) ) { confirm_referrer('message_list.php'); $db->query('DELETE FROM '.$db->prefix.'messages WHERE id IN('.$_POST['messages'].') AND owner= ''.$forum_user['id'].''') or error(mysql_error(), __FILE__, __LINE__, $db->error()); redirect('message_list.php?box='.$_POST['box'], $lang_pms['Deleted redirect']); } */ // Fix :- Replace with this code :D if( isset($_POST['delete_messages']) || isset($_POST['delete_messages_comply']) ) { if( isset($_POST['delete_messages_comply']) ) { confirm_referrer('message_list.php'); $db->query('DELETE FROM '.$db->prefix.'messages WHERE id IN('.intval($_POST['messages']).') AND owner= ''.$forum_user['id'].''') or error(mysql_error(), __FILE__, __LINE__, $db->error()); redirect('message_list.php?box='.$_POST['box'], $lang_pms['Deleted redirect']); } // Exploit - Resend This Requsit By HTTPLiveHeaders :D - messages=[SQL]&box=0&delete_messages_comply=Delete


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top