[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] OpenBB 1.06 SQL Injection
- To: full-disclosure@lists.netsys.com
- Subject: [Full-Disclosure] OpenBB 1.06 SQL Injection
- From: n.teusink@planet.nl
- Date: Fri, 26 Dec 2003 21:38:14 +0100
Hello full-disclosure readers,
A vulnerability exists in OpenBB 1.06 that could allow an attacker to
manipulate SQL
queries and obtain sensitive information from the database such as
the administrator
md5 password hash.
This vulnerability exists because the index.php script of the
application does not
sufficiently sanitize the input of the "CID" parameter.
As far as I know this vulnerability can only be exploited if the
database server the
forum uses supports the UNION keyword, so it is probably not
exploitable with
MySQL 3.x. I have succesfully exploited this issue when using
MySQL 4 as the
database server.
Impact
------
If the admin password is weak enough the attacker could crack it
using a brute force
password cracker on the hash and get full control over the forum.
Solution
--------
I have notified the OpenBB developers and they have very quickly (a
couple of hours,
great work guys!) released a patched version. You can also patch
your forum
manually as described in the OpenBB advisory:
http://forums.openbb.com/read.php?TID=445
Cheers,
Niels Teusink
http://www.teusink.net
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html