[MaxPatrol] SQL-injection in Ikonboard 3.1.x

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [MaxPatrol] SQL-injection in Ikonboard 3.1.x
From: Alexander Anisimov <anisimov@xxxxxxxxxxxxxx>
Date: 16 Dec 2004 22:51:08 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Release Date: December 16, 2004
Date Reported: December 2, 2004
Severity: High
Application: Ikonboard 3.1.x
Affects versions: 3.1.0, 3.1.1, 3.1.2 and 3.1.3.
Platform: PHP

I. DESCRIPTION

Input passed to the "st" and "keywords" parameters in "ikonboard.cgi" is not
properly sanitised before being used in a SQL query. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.

1) SQL injection in "st" parameter

Example:
http://host/support/ikonboard.cgi?act=ST&f=27&t=13066&hl=nickname&st=1'

Result:
Ikonboard CGI Error
-----------------------------------------------------------------------
Ikonboard has exited with the following error:

Can't query the data from 'forum_posts' Reason: You have an error in your SQL
syntax. Check the manual that corresponds to your MySQL server version for the
right syntax to use near '', 20'

This error was reported at: line 1 Query: SELECT * FROM iB313_forum_posts WHERE
TOPIC_ID = '13066' AND QUEUED <> '1' ORDER BY POST_DATE ASC LIMIT 1', 20

Please note that your 'real' paths have been removed to protect your
information.
-----------------------------------------------------------------------

2) SQL injection in "keywords" parameter

Example:
http://host/support/ikonboard.cgi?act=Search&CODE=01&keywords='&type=name&forums=all&search_in=all&prune=0

Result:
Ikonboard CGI Error
-----------------------------------------------------------------------
Ikonboard has exited with the following error:

mySQL error
Can't query the data: You have an error in your SQL syntax. Check the manual
that corresponds to your MySQL server version for the right syntax to use near
') ORDER BY DATE DESC LIMIT 0,200'

This error was reported at: line 1

Please note that your 'real' paths have been removed to protect your
information.
-----------------------------------------------------------------------

This vulnerability found automatically by full-featured commercial version of
MaxPatrol.

II. IMPACT

A remote user may be able to execute arbitrary SQL commands on the
underlying database.

III. SOLUTION

Not available currently.

IV. VENDOR FIX/RESPONSE

Notified.

V. CREDIT

This vulnerability was discovered by Positive Technologies using MaxPatrol
(http://www.maxpatrol.com) - intellectual professional security scanner.
It is able to detect a substantial amount of vulnerabilities not published
yet. MaxPatrol's intelligent algorithms are also capable to detect a lot of
vulnerabilities in custom web-scripts (XSS, SQL and code injections, HTTP
Response splitting).

Prev by Date: Multiple XSS Vulnerabilities in Wordpress 1.2.1
Next by Date: DJB's students release 44 *nix software vulnerability advisories
Previous by thread: Multiple XSS Vulnerabilities in Wordpress 1.2.1
Next by thread: DJB's students release 44 *nix software vulnerability advisories
Index(es):
- Date
- Thread