PDA

Bekijk Volledige Versie : [VSA0306] YABBSE 1.4.1 SQL Injection Bugs



VOID.AT Security
21/01/03, 02:16
--cWoXeonUoKmBZSoM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline


--cWoXeonUoKmBZSoM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="VSA0306_yabbse.txt"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Subject: [void.at SA] YaBB SE SQL Injection Bugs

[void.at Security Advisory VSA0306]

YaBB SE is a web based forum written in PHP.

Overview
- --------

Due to sql injection bugs, it is possible for an remote
user without an account to get access to user accounts by
resetting or excplicit setting a password

Affected Versions
- -----------------

1.4.1
possibly others

Details
- -------

see Reminder.php

Solution
- --------

To fix this bug enable magic_rpc in your php.ini or
filter the user input for special characters


Exploit
- -------

There are two ways to exploit this vulnerability

* Reset User Password Vulnerability
http://www.myserver.com/yabbse/Reminder.php?searchtype=esearch&user=[yourusername]'%20or%20memberName='[otherusername]

* Set Any User Password Vulnerability

You can only set the Password for user that has been added after your account,
because of the SQL structure.

Discovered by
- - -------------

crew@void.at

Credits
- -------
void.at
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj4fZQkACgkQzxi8qAgTjUOM+gCfRbRObKdDQ1 55OmG7rkGc1HNM
nn4AoJDBOElOqbKSA2MJJ5R/AqhnyVJm
=3q3M
-----END PGP SIGNATURE-----

--cWoXeonUoKmBZSoM--