Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Forum/Board/Portal)  >   Lokwa BB Vendors:   Lokwa
Lokwa BB Bulletin Board Bugs Let Remote Authenticated Users Read Private Messages and Also Execute SQL Commands on the Database
SecurityTracker Alert ID:  1004495
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 9 2002
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 1.2.2
Description:   Several vulnerabilities were reported in the Lokwa BB bulletin board. A remote authenticated user can read private messages of other users and can inject SQL commands to be executed by the underlying database.

It is reported that the 'member.php' script does not validate user-supplied input in the '$member' variable. So, a remote user could submit a URL that contains SQL commands to be executed by the underlying database.

For example, the following type of URL will result in an SQL command being executed on the server:


The command will be:

SELECT * FROM lokwa_users WHERE username='' OR password='PASSWORD'

This can be used to retrieve the passwords for all accounts on the system. The same type of exploit method can be used by a remote authenticated user to post messages and retrieve various information from the database.

A similar flaw reportedly exists in the 'misc.php' script.

It is reported that when a user responds to a message, the pm.php script does not verify that the message being replied to was actually sent to the user that is replying. The following type of URL can be submitted by a remote user to view message #1 regardless of whether message #1 was originally destined to the remote user or not.

The original advisory is available (in French language) at:

Impact:   A remote user can execute arbitrary SQL commands on the database. This allows the remote user to view passwords and other information for users on the bulleting board.

A remote user can also view private messages belonging to other users.

Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  Security holes in LokwaBB and W-Agora

Somebody advised me to post also on bugtraq not only on vuln-dev, I thus do 
it :)  I just hope that doesn't give more work to the webmasters.

Product 1 :
W-Agora 4.1.3

Problem :
- Including file

Exploits :
- With a file :

- With a file :

- With the file :

More details in french :

Translated by Goolge :

Product 2 :
LokwaBB 1.2.2

Problems :
- Privates messages reading
- SQL Injection

Exploits :
- misc.php?action=forgot&send=yes&loser='%20OR%20password='PASSWORD
- http://[target]/pm.php?action=reply&pmid=[MESSAGE ID]

More details in french :

Translated by Google :

Sorry for my poor english :)



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC