exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SMF11SQL.txt

SMF11SQL.txt
Posted Dec 14, 2005
Authored by trueend5 | Site KAPDA.ir

Simple Machines Forum version 1.1 rc1 is susceptible to SQL injection attacks.

tags | exploit, sql injection
SHA-256 | fd048e492eda40c3d6301b7ec2d684adefb8d1c98ef0a539b0d176e3ac246fc0
Download | Favorite | View

SMF11SQL.txt

Change Mirror Download
KAPDA New advisory

Vendor: http://www.simplemachines.org/
Vulnerable Version:SMF 1.1 rc1, Other versions also
may be affected.
Bug: SQL Injection
Exploitation: Remote with browser

Description:
--------------------
Simple Machines Forum is a most widely used PHP-based
message board system that uses a MySQL database.
 
Vulnerability:
--------------------
Lets Look at the Source Code of 'Memberlist.php' :
.
.
------------/CUT/------------
if (!is_numeric($_REQUEST['start']))
  {
    $request = db_query("
      SELECT COUNT(ID_MEMBER)
      FROM {$db_prefix}members
      WHERE LOWER(SUBSTRING(realName, 1, 1)) < '" .
substr(strtolower($_REQUEST['start']), 0, 1) . "'
        AND is_activated = 1", __FILE__, __LINE__);
    list ($_REQUEST['start']) =
mysql_fetch_row($request);
    mysql_free_result($request);
  }
------------/CUT/------------
.
.
 
As shown up, The script does not properly validate
user-supplied input in 'start' that may allow a remote
user to launch Sql injection attacks. A Registered
user can create specially crafted parameter values
that will execute SQL commands on the underlying
database.


Demonstration URL :
-----------------------------
http://example.com/smf/index.php?action=mlist;sa=all;start='[SQL]

Solution:
--------------------
There is no vendor supplied patch for this issue at
this time.
Our recommendation for a temporary fix:
In  /Sources/Memberlist.php find these lines: 

//-------Start----
if (!is_numeric($_REQUEST['start']))
  {
//-------End------

And add these lines after those:

//-------Start----
$Pattern="[A-Za-z]";
if (!eregi($Pattern, $_REQUEST['start'])) die('Hacking
attempt...');
//-------End------

Original Advisory:
--------------------
http://irannetjob.com/content/view/173/28/

Credit :
--------------------
Discovered & released by trueend5 (trueend5 kapda ir)
Security Science Researchers Institute Of Iran
[http://www.KAPDA.ir]

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close