Bugtraq mailing list archives
[KAPDA::#16] - SMF SQL Injection
From: alireza hassani <trueend5 () yahoo com>
Date: Fri, 9 Dec 2005 03:49:27 -0800 (PST)
KAPDA New advisory Vendor: http://www.simplemachines.org/ Vulnerable Version:SMF 1.1 rc1, Other versions also may be affected. Bug: SQL Injection Exploitation: Remote with browser Description: -------------------- Simple Machines Forum is a most widely used PHP-based message board system that uses a MySQL database. Vulnerability: -------------------- Lets Look at the Source Code of 'Memberlist.php' : . . ------------/CUT/------------ if (!is_numeric($_REQUEST['start'])) { $request = db_query(" SELECT COUNT(ID_MEMBER) FROM {$db_prefix}members WHERE LOWER(SUBSTRING(realName, 1, 1)) < '" . substr(strtolower($_REQUEST['start']), 0, 1) . "' AND is_activated = 1", __FILE__, __LINE__); list ($_REQUEST['start']) = mysql_fetch_row($request); mysql_free_result($request); } ------------/CUT/------------ . . As shown up, The script does not properly validate user-supplied input in 'start' that may allow a remote user to launch Sql injection attacks. A Registered user can create specially crafted parameter values that will execute SQL commands on the underlying database. Demonstration URL : ----------------------------- http://example.com/smf/index.php?action=mlist;sa=all;start='[SQL] Solution: -------------------- There is no vendor supplied patch for this issue at this time. Our recommendation for a temporary fix: In /Sources/Memberlist.php find these lines: //-------Start---- if (!is_numeric($_REQUEST['start'])) { //-------End------ And add these lines after those: //-------Start---- $Pattern="[A-Za-z]"; if (!eregi($Pattern, $_REQUEST['start'])) die('Hacking attempt...'); //-------End------ Original Advisory: -------------------- http://irannetjob.com/content/view/173/28/ Credit : -------------------- Discovered & released by trueend5 (trueend5 kapda ir) Security Science Researchers Institute Of Iran [http://www.KAPDA.ir] __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Current thread:
- [KAPDA::#16] - SMF SQL Injection alireza hassani (Dec 09)
- <Possible follow-ups>
- Re: [KAPDA::#16] - SMF SQL Injection grudge (Dec 10)
- Re: [KAPDA::#16] - SMF SQL Injection ascii (Dec 12)
- Re: Re: [KAPDA::#16] - SMF SQL Injection retrogod (Dec 12)
- Re: Re: [KAPDA::#16] - SMF SQL Injection polnby (Dec 12)
- Re: Re: [KAPDA::#16] - SMF SQL Injection Steven M. Christey (Dec 12)
- Re: Re: Re: [KAPDA::#16] - SMF SQL Injection grudge (Dec 14)