[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    [MaxPatrol] SQL-injection in Ikonboard 3.1.x
From:       Alexander Anisimov <anisimov () ptsecurity ! com>
Date:       2004-12-16 17:02:27
Message-ID: 20041216225108.29333.qmail () www ! securityfocus ! com
[Download RAW message or body]




[MaxPatrol] SQL-injection in Ikonboard 3.1.x

   Release Date:     December 16, 2004
   Date Reported:    December 2, 2004
   Severity:         High
   Application:      Ikonboard 3.1.x
   Affects versions: 3.1.0, 3.1.1, 3.1.2 and 3.1.3.
   Platform:         PHP



I. DESCRIPTION

Input passed to the "st" and "keywords" parameters in "ikonboard.cgi" is not properly \
sanitised before being used in a SQL query. This can be exploited to manipulate SQL \
queries by injecting arbitrary SQL code.


1) SQL injection in "st" parameter

Example:
http://host/support/ikonboard.cgi?act=ST&f=27&t=13066&hl=nickname&st=1'

Result:
Ikonboard CGI Error 
-----------------------------------------------------------------------
Ikonboard has exited with the following error: 

Can't query the data from 'forum_posts' Reason: You have an error in your SQL syntax. \
Check the manual that corresponds to your MySQL server version for the right syntax \
to use near '', 20'

This error was reported at: line 1 Query: SELECT * FROM iB313_forum_posts WHERE \
TOPIC_ID = '13066' AND QUEUED <> '1' ORDER BY POST_DATE ASC LIMIT 1', 20 

Please note that your 'real' paths have been removed to protect your information. 
-----------------------------------------------------------------------


2) SQL injection in "keywords" parameter

Example:
http://host/support/ikonboard.cgi?act=Search&CODE=01&keywords='&type=name&forums=all&search_in=all&prune=0


Result:
Ikonboard CGI Error 
-----------------------------------------------------------------------
Ikonboard has exited with the following error: 

mySQL error
Can't query the data: You have an error in your SQL syntax. Check the manual that \
corresponds to your MySQL server version for the right syntax to use near ') ORDER BY \
DATE DESC LIMIT 0,200'

This error was reported at: line 1 

Please note that your 'real' paths have been removed to protect your information. 
-----------------------------------------------------------------------


This vulnerability found automatically by full-featured commercial version of \
MaxPatrol.


II. IMPACT

   A remote user may be able to execute arbitrary SQL commands on the underlying \
database.

III. SOLUTION

   Not available currently.


IV. VENDOR FIX/RESPONSE

   Notified.


V. CREDIT

   This vulnerability was discovered by Positive Technologies using MaxPatrol
   (http://www.maxpatrol.com) - intellectual professional security scanner.
   It is able to detect a substantial amount of vulnerabilities not published
   yet. MaxPatrol's intelligent algorithms are also capable to detect a lot of
   vulnerabilities in custom web-scripts (XSS, SQL and code injections, HTTP
   Response splitting).


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic