SQL-Injection in IP-TRACKING Mod for phpBB2.0.x

Risk: Medium
Local: No
Remote: Yes
CWE: CWE-Other

CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Information: The IP-Tracking Mod is a Extension for phpBB2.0.x which logs all Page hits the user of the Boards do including Referer, IP and Username. It contains a SQL-Injection on Admin-Level. You can get it from: http://www.phpbb.de/viewtopic.php?t=63690&postdays=0&postorder=asc&start =0 Steps to reproduce: Go into your ACP, select under IP-Tracking IP-Search, select "no" at use wildcards and enter in Search Query what you want. It is direct passed through the Query. As Search Type I used IP. PoC: enter ' UNION SELECT user_password as ip,user_id,username,user_active,user_regdate,user_level,user_posts from phpbb_users# as Search-Query. This will display you all the hashed Userpasswords in IP

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com


Back to Top