lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 9 Dec 2005 03:49:27 -0800 (PST)
From: alireza hassani <trueend5@...oo.com>
To: bugtraq@...urityfocus.com
Subject: [KAPDA::#16] - SMF SQL Injection


KAPDA New advisory

Vendor: http://www.simplemachines.org/
Vulnerable Version:SMF 1.1 rc1, Other versions also
may be affected.
Bug: SQL Injection
Exploitation: Remote with browser

Description:
--------------------
Simple Machines Forum is a most widely used PHP-based
message board system that uses a MySQL database.
 
Vulnerability:
--------------------
Lets Look at the Source Code of 'Memberlist.php' :
.
.
------------/CUT/------------
if (!is_numeric($_REQUEST['start']))
	{
		$request = db_query("
			SELECT COUNT(ID_MEMBER)
			FROM {$db_prefix}members
			WHERE LOWER(SUBSTRING(realName, 1, 1)) < '" .
substr(strtolower($_REQUEST['start']), 0, 1) . "'
				AND is_activated = 1", __FILE__, __LINE__);
		list ($_REQUEST['start']) =
mysql_fetch_row($request);
		mysql_free_result($request);
	}
------------/CUT/------------
.
.
 
As shown up, The script does not properly validate
user-supplied input in 'start' that may allow a remote
user to launch Sql injection attacks. A Registered
user can create specially crafted parameter values
that will execute SQL commands on the underlying
database.


Demonstration URL :
-----------------------------
http://example.com/smf/index.php?action=mlist;sa=all;start='[SQL]

Solution:
--------------------
There is no vendor supplied patch for this issue at
this time.
Our recommendation for a temporary fix:
In  /Sources/Memberlist.php find these lines: 

//-------Start----
if (!is_numeric($_REQUEST['start']))
	{
//-------End------

And add these lines after those:

//-------Start----
$Pattern="[A-Za-z]";
if (!eregi($Pattern, $_REQUEST['start'])) die('Hacking
attempt...');
//-------End------

Original Advisory:
--------------------
http://irannetjob.com/content/view/173/28/

Credit :
--------------------
Discovered & released by trueend5 (trueend5 kapda ir)
Security Science Researchers Institute Of Iran
[http://www.KAPDA.ir]

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Powered by blists - more mailing lists