lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 16 Feb 2004 20:34:05 +0100
From: "backspace" <backspace_2k@...ra.es>
To: "bugtraq" <bugtraq@...urityfocus.com>
Cc: <news@...uriteam.com>
Subject: Another YabbSE SQL Injection


Summary
YaBB SE is a PHP/MySQL port of the popular forum software YaBB (yet another
bulletin board).

An SQL injection vulnerability allows a remote attacker to execute malicious
SQL statements on the database remotely

Details
Vulnerable Systems:
 * YaBB SE versions 1.5.4, 1.5.5, possibly others

The file Post.php is vulnerable to SQL injection because the quote parameter
isn't checked against malicious input, so is possible to inject SQL.

How To Exploit the vulnerability:

1- you need to be a registered user to exploit this hole.
2- Click any board you see. ex. General Discussion.
3- Click any message. ex Welcome to YaBB SE!
4- Now view the source code of this page and search this string "sesc"
withou the quotes this is the session id , is an hex number of 32 characters
ex.(13a478d8aa161c2231e6d3b36b6d19f2), you'll need this later
5- now your url is something like this
http://vulnhost/yabbse/index.php?board=1;action=display;threadid=1
6- change your url to look like this.

http://localhost:8080/yabbse//index.php?board=1;sesc=13a478d8aa161c2231e6d3b36b6d19f2;action=post;threadid=1;title=Post+reply;quote=-12)+UNION+SELECT+passwd,null,null,null,null,null,null,null,null+FROM+yabbse_members+where+ID_MEMBER=1/*

the value of sesc is the value you get before from the source code

and voilá  you get the hashed password from the user with the id = 1 in the
Subject textBox something like this
Re:e320774659b1b23333bd033754d21bc4


Vendor Status:
january 23, 2004: I contacted the vendor
january 23, 2004: Vendor says they are working on it.
january 29, 2004: I send another email to know how the work was progressing.
No Response.
february 3, 2004 I send another email to know the status of the work.
february 4, 2004 Vendor says the'll figure how to do.
february 16, 2004 I doesn't want to keep waiting, so i publish the
vulnerability.

Temporal Solution:

Open Post.php and go around line 49

you'll see something like this.

 $quotemsg = $quote;


change to this.

 if ( !is_numeric($quote) )
 {
    die('Go out C==|=======>');
 }

 $quotemsg = $quote;

that's it.


Credits go to: BackSpace

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ