MKPortal 1.1 Remote SQL Injection Vulnerability.

2006.04.28
Credit: Mustafa Can Bjorn IPEKCI (nukedx nukedx com)
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2006-2067 | CVE-2006-2066
CWE: CWE-89

--Security Report-- Advisory: vBulletin <= 3.5.4 with MKPortal 1.1 Remote SQL Injection Vulnerability. --- Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI --- Date: 21/04/06 22:36 PM --- Contacts:{ ICQ: 10072 MSN/Email: nukedx (at) nukedx (dot) com [email concealed] Web: http://www.nukedx.com } --- Vendor: MKPortal (http://www.mkportal.it/) Version: 1.1 RC1 and prior versions must be affected. (Runs on vBulletin!) About: Via this methods remote attacker can inject arbitrary SQL queries to ind parameter in index.php of MKPortal. Vulnerable code can be found in the file mkportal/include/VB/vb_board_functions.php at line 35-37, as you can see it easy to by pass this SQL update function. Also there is cross-site scripting vulnerability in pm_popup.php the parameters u1,m1,m2,m3,m4 did not sanitized properly. Level: Critical --- How&Example: SQL Injection : GET -> http://[victim]/[mkportaldir]/index.php?ind=[SQL] EXAMPLE -> http://[victim]/[mkportaldir]/index.php?ind=',userid='1 So with this example remote attacker updates his session's userid to 1 and after refreshing the page he can logs as userid 1. XSS: GET -> http://[victim]/[mkportaldir]/includes/pm_popup.php?u1=[XSS]&m1=[XSS]&m2 =[XSS]&m3=[XSS]&m4=[XSS] --- Timeline: * 21/04/2006: Vulnerability found. * 21/04/2006: Contacted with vendor and waiting reply. --- Exploit: http://www.nukedx.com/?getxpl=26 --- Dorks: "MKPortal 1.1 RC1" --- Original advisory can be found at: http://www.nukedx.com/?viewdoc=26


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top