SMF 1.1 RC3 Multiple SQL Injection Vulnerabilities

Started by Anonymous, 05 de September , 2006, 05:35:48 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

Anonymous

05 de September , 2006, 05:35:48 PM
SMF Multiple SQL Injection Vulnerabilities

Bugtraq ID:    19814
Class:    Input Validation Error
CVE:    
Remote:    Yes
Local:    No
Published:    Sep 02 2006 12:00AM
Updated:    Sep 02 2006 12:00AM
Credit:    Omid is credited with the discovery of these vulnerabilities.
Vulnerable:    SMF SMF 1.1 RC3

Code Select
sql injection in SMF 1.1 RC3, in admin section :
When an administrator is going to add a new board, the "cur_cat" parameter
is not checked properly :

File /Sources/ManageBoards.php, Line 609 :
:: // Create a new board...
:: if (isset($_POST['add']))
:: {
:: // New boards by default go to the bottom of the category.
:: if (empty($_POST['new_cat']))
>> $boardOptions['target_category'] = $_POST['cur_cat'];
:: if (!isset($boardOptions['move_to']))
:: $boardOptions['move_to'] = 'bottom';
::
>> createBoard($boardOptions);
:: }

And in "createBoard()" function :

File /Sources/Subs-Boards.php, Line 1095 :
:: // Insert a board, the settings are dealt with later.
:: db_query("
:: INSERT INTO {$db_prefix}boards
:: (ID_CAT, name, description, boardOrder, memberGroups)
>> VALUES ($boardOptions[target_category], SUBSTRING('$boardOptions[board_name]', 1, 255), '', 0, '-1,0')", __FILE__, __LINE__);

This is in administration section, so it doesnt seem to be critical.

- Omid
Fonte -> Security FocuS

fast

#1
17 de September , 2006, 11:26:52 PM
seria bom se explicasse melhor como explorar esa vul ae
RootDamages = FasT
FasT = RootDamages

o grupo eh soh eu , nao tem otros integrantes !! , portanto nao eh bem um grupo aiheoaihoa
Print
Go Up Pages1
User actions