YapBB <= 1.2 Beta2 'find.php' SQL Injection Vulnerability

2006.05.23
Credit: geinblues
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 6.4/10
Impact Subscore: 4.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

Title : YapBB <= 1.2 Beta2 'find.php' SQL Injection Vulnerability ------------------------------------------ Author : x90c(Kyong Joo, Jung) Published : 2006.5.16 E-mail : geinblues [at] gmail.com Site : http://www.chollian.net/~jyj9782 ------------------------------------------ 0x01 Summary YapBB is a OpenSource Web Forum written in php. (http://sourceforge.net/projects/yapbb) This web program is vulnerable to sql injection attack. So malicious attacker can get Every nicknames(id), passwords for this YapBB. Let's see the codes ~! 0x02 Testbed - Fedora Core 2 - MySQL-Server 5.0.19-log - Php5 ( magic_quotes_gpc = On ) 0x03 Codes ~/YapBB-1.2-Beta2/YapBB/find.php: - .. 34: $userBool = $HTTP_POST_VARS["choice"]=="user"; // if choice == 'user' 36: $userpostBool = !empty($HTTP_GET_VARS["userID"]); // userID == '[inject sql]' .. 119: else if ($userpostBool) 120: { 128: $postRes = $postQuery->select("SELECT p.date, t.id, t.description, u.nickname FROM " . $cfgDatabase['post'] . " AS p, " . $cfgDatabase['topic'] . " AS t, " . $cfgDatabase['user'] . " AS u WHERE t.id = p.topicid AND p.posterid = $userID AND u.id = p.posterid GROUP BY p.topicid ORDER BY p.date DESC LIMIT 50"); // execute sql! - No words. I wrote a exploit for getting all YapBB user's nicknames and passwords. Sorry i can't put exploit in this advisory =) 0x04 Exploit [x90c@hackzen testbed]$ whoami x90c [x90c@hackzen testbed]$ 0x05 Patch ~/YapBB-1.2-Beta2/YapBB/find.php: .. 128: $postRes = $postQuery->select("SELECT p.date, t.id, t.description, u.nickname FROM " . $cfgDatabase['post'] . " AS p, " . $cfgDatabase['topic'] . " AS t, " . $cfgDatabase['user'] . " AS u WHERE t.id = p.topicid AND p.posterid = '" . addslashes($userID) . "' AND u.id = p.posterid GROUP BY p.topicid ORDER BY p.date DESC LIMIT 50"); // x90c patch! .. Thanks! - Blu3h4t Team in korea


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top