Bugtraq mailing list archives
Sql injection in SMF [Admin section]
From: "Omid" <omid () hackers ir>
Date: Sat, 02 Sep 2006 01:04:20 +0430
Hi, There is a sql injection in SMF 1.1 RC3, in admin section : When an administrator is going to add a new board, the "cur_cat" parameter is not checked properly : File /Sources/ManageBoards.php, Line 609 : :: // Create a new board... :: if (isset($_POST['add'])) :: { :: // New boards by default go to the bottom of the category. :: if (empty($_POST['new_cat']))
$boardOptions['target_category'] = $_POST['cur_cat'];
:: if (!isset($boardOptions['move_to'])) :: $boardOptions['move_to'] = 'bottom'; ::
createBoard($boardOptions);
:: } And in "createBoard()" function : File /Sources/Subs-Boards.php, Line 1095 : :: // Insert a board, the settings are dealt with later. :: db_query(" :: INSERT INTO {$db_prefix}boards :: (ID_CAT, name, description, boardOrder, memberGroups)
VALUES ($boardOptions[target_category], SUBSTRING('$boardOptions[board_name]', 1, 255), '', 0, '-1,0')", __FILE__, __LINE__);
This is in administration section, so it doesnt seem to be critical. - Omid
Current thread:
- Sql injection in SMF [Admin section] Omid (Sep 02)