lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 02 Sep 2006 01:04:20 +0430
From: "Omid" <omid@...kers.ir>
To: <bugtraq@...urityfocus.com>
Subject: Sql injection in SMF [Admin section]

Hi,
There is a sql injection in SMF 1.1 RC3, in admin section :
When an administrator is going to add a new board, the "cur_cat" parameter
is not checked properly :

File /Sources/ManageBoards.php, Line 609 :
:: // Create a new board...
:: if (isset($_POST['add']))
:: {
:: 	// New boards by default go to the bottom of the category.
:: 	if (empty($_POST['new_cat']))
>> 		$boardOptions['target_category'] = $_POST['cur_cat'];
:: 	if (!isset($boardOptions['move_to']))
:: 		$boardOptions['move_to'] = 'bottom';
:: 
>> 	createBoard($boardOptions);
:: }

And in "createBoard()" function :

File /Sources/Subs-Boards.php, Line 1095 :
:: // Insert a board, the settings are dealt with later.
:: db_query("
:: 	INSERT INTO {$db_prefix}boards
:: 		(ID_CAT, name, description, boardOrder, memberGroups)
>> 	VALUES ($boardOptions[target_category], SUBSTRING('$boardOptions[board_name]', 1, 255), '', 0, '-1,0')", __FILE__, __LINE__);

This is in administration section, so it doesnt seem to be critical.


- Omid

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ