Bugtraq mailing list archives

[KAPDA::#16] - SMF SQL Injection

From: alireza hassani <trueend5 () yahoo com>
Date: Fri, 9 Dec 2005 03:49:27 -0800 (PST)

KAPDA New advisory

Vendor: http://www.simplemachines.org/
Vulnerable Version:SMF 1.1 rc1, Other versions also
may be affected.
Bug: SQL Injection
Exploitation: Remote with browser

Description:
--------------------
Simple Machines Forum is a most widely used PHP-based
message board system that uses a MySQL database.
 
Vulnerability:
--------------------
Lets Look at the Source Code of 'Memberlist.php' :
.
.
------------/CUT/------------
if (!is_numeric($_REQUEST['start']))
        {
                $request = db_query("
                        SELECT COUNT(ID_MEMBER)
                        FROM {$db_prefix}members
                        WHERE LOWER(SUBSTRING(realName, 1, 1)) < '" .
substr(strtolower($_REQUEST['start']), 0, 1) . "'
                                AND is_activated = 1", __FILE__, __LINE__);
                list ($_REQUEST['start']) =
mysql_fetch_row($request);
                mysql_free_result($request);
        }
------------/CUT/------------
.
.
 
As shown up, The script does not properly validate
user-supplied input in 'start' that may allow a remote
user to launch Sql injection attacks. A Registered
user can create specially crafted parameter values
that will execute SQL commands on the underlying
database.


Demonstration URL :
-----------------------------
http://example.com/smf/index.php?action=mlist;sa=all;start='[SQL]

Solution:
--------------------
There is no vendor supplied patch for this issue at
this time.
Our recommendation for a temporary fix:
In  /Sources/Memberlist.php find these lines: 

//-------Start----
if (!is_numeric($_REQUEST['start']))
        {
//-------End------

And add these lines after those:

//-------Start----
$Pattern="[A-Za-z]";
if (!eregi($Pattern, $_REQUEST['start'])) die('Hacking
attempt...');
//-------End------

Original Advisory:
--------------------
http://irannetjob.com/content/view/173/28/

Credit :
--------------------
Discovered & released by trueend5 (trueend5 kapda ir)
Security Science Researchers Institute Of Iran
[http://www.KAPDA.ir]

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Current thread:

[KAPDA::#16] - SMF SQL Injection alireza hassani (Dec 09)
- <Possible follow-ups>
- Re: [KAPDA::#16] - SMF SQL Injection grudge (Dec 10)
  - Re: [KAPDA::#16] - SMF SQL Injection ascii (Dec 12)
- Re: Re: [KAPDA::#16] - SMF SQL Injection retrogod (Dec 12)
- Re: Re: [KAPDA::#16] - SMF SQL Injection polnby (Dec 12)
- Re: Re: [KAPDA::#16] - SMF SQL Injection Steven M. Christey (Dec 12)
- Re: Re: Re: [KAPDA::#16] - SMF SQL Injection grudge (Dec 14)