lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20071118234641.5975.qmail@securityfocus.com>
Date: 18 Nov 2007 23:46:41 -0000
From: aeroxteam-nospam@...il.com
To: bugtraq@...urityfocus.com
Subject: IceBB 1.0rc6 <= Remote SQL Injection

[|Description:|]
A security breach has been discoverd in IceBB 1.0-rc6.
This breach is caused by a bad filtering of the X-Forwarded-For variable:

> ./includes/functions.php, line 73
$ip	 = empty($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['REMOTE_ADDR'] : $_SERVER['HTTP_X_FORWARDED_FOR'];
$ip	= $this->clean_key($ip);
$input['ICEBB_USER_IP']	= $ip;

> ./icebb.php, line 169
$icebb->client_ip	= $input['ICEBB_USER_IP'];

> ./admin/index.php, line 112
$icebb->adsess	= $db->fetch_result("SELECT adsess.*,u.id as userid,u.username,u.temp_ban,g.g_view_board FROM icebb_adsess AS adsess LEFT JOIN icebb_users AS u ON u.username=adsess.user LEFT JOIN icebb_groups AS g ON u.user_group=g.gid WHERE adsess.asid='{$icebb->input['s']}' AND adsess.ip='{$icebb->client_ip}' LIMIT 1");

A hacker could exploit this security breach in order to alter a SQL request.

[|Exploit:|]
http://www.aeroxteam.fr/exploit-IceBB-1.0rc6.php

[|Solution:|]
No one. Think about update your forum core when a patch will be available on the official website.

[|Credits:|]
Gu1ll4um3r0m41n (aeroxteam --[at]-- gmail --[dot]-- com)
for AeroX (AeroXteam.fr)

[|Greetz:|]
Math², KERNEL_ERROR, NeoMorphS, Snake91, Goundy, Alkino (...) And everybody from #aerox

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ