From: "Omid" <omid@hackers.ir.>
To: <bugtraq@securityfocus.com.>
Subject: Sql injection in SMF [Admin section]
Date: Sat, 02 Sep 2006 01:04:20 +0430
User-Agent: Hackers.ir/1.0
MIME-Version: 1.0
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: 8bit
Importance: Normal
X-Priority: 3 (Normal)
X-Mailer: Hackers.ir/1.0
X-Virus-Scanned: antivirus-gw at tyumen.ru
Hi,
There is a sql injection in SMF 1.1 RC3, in admin section :
When an administrator is going to add a new board, the "cur_cat" parameter
is not checked properly :
File /Sources/ManageBoards.php, Line 609 :
:: // Create a new board...
:: if (isset($_POST['add']))
:: {
:: // New boards by default go to the bottom of the category.
:: if (empty($_POST['new_cat']))
>> $boardOptions['target_category'] = $_POST['cur_cat'];
:: if (!isset($boardOptions['move_to']))
:: $boardOptions['move_to'] = 'bottom';
::
>> createBoard($boardOptions);
:: }
And in "createBoard()" function :
File /Sources/Subs-Boards.php, Line 1095 :
:: // Insert a board, the settings are dealt with later.
:: db_query("
:: INSERT INTO {$db_prefix}boards
:: (ID_CAT, name, description, boardOrder, memberGroups)
>> VALUES ($boardOptions[target_category], SUBSTRING('$boardOptions[board_name]', 1, 255), '', 0, '-1,0')", __FILE__, __LINE__);
This is in administration section, so it doesnt seem to be critical.
- Omid
