[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] OpenBB 1.06 SQL Injection
- To: n.teusink@planet.nl
- Subject: Re: [Full-Disclosure] OpenBB 1.06 SQL Injection
- From: gr00vy <groovy2600@yahoo.com.ar>
- Date: 27 Dec 2003 03:21:16 -0300
Also there are XSS vuln and may be SQL injection (i did not test it):
http://forums.openbb.com/board.php?FID=%3Cscript%3Ealert(document.cookie)%3C/script%3E
On Fri, 2003-12-26 at 17:38, n.teusink@planet.nl wrote:
> Hello full-disclosure readers,
>
> A vulnerability exists in OpenBB 1.06 that could allow an attacker to
> manipulate SQL
> queries and obtain sensitive information from the database such as
> the administrator
> md5 password hash.
> This vulnerability exists because the index.php script of the
> application does not
> sufficiently sanitize the input of the "CID" parameter.
>
> As far as I know this vulnerability can only be exploited if the
> database server the
> forum uses supports the UNION keyword, so it is probably not
> exploitable with
> MySQL 3.x. I have succesfully exploited this issue when using
> MySQL 4 as the
> database server.
>
> Impact
> ------
>
> If the admin password is weak enough the attacker could crack it
> using a brute force
> password cracker on the hash and get full control over the forum.
>
> Solution
> --------
>
> I have notified the OpenBB developers and they have very quickly (a
> couple of hours,
> great work guys!) released a patched version. You can also patch
> your forum
> manually as described in the OpenBB advisory:
> http://forums.openbb.com/read.php?TID=445
>
>
> Cheers,
>
> Niels Teusink
>
> http://www.teusink.net
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html