[KAPDA::#16] - SMF SQL Injection
KAPDA New advisory
Vendor: http://www.simplemachines.org/
Vulnerable Version:SMF 1.1 rc1, Other versions also
may be affected.
Bug: SQL Injection
Exploitation: Remote with browser
Description:
--------------------
Simple Machines Forum is a most widely used PHP-based
message board system that uses a MySQL database.
Vulnerability:
--------------------
Lets Look at the Source Code of 'Memberlist.php' :
.
.
------------/CUT/------------
if (!is_numeric($_REQUEST['start']))
{
$request = db_query("
SELECT COUNT(ID_MEMBER)
FROM {$db_prefix}members
WHERE LOWER(SUBSTRING(realName, 1, 1)) < '" .
substr(strtolower($_REQUEST['start']), 0, 1) . "'
AND is_activated = 1", __FILE__, __LINE__);
list ($_REQUEST['start']) =
mysql_fetch_row($request);
mysql_free_result($request);
}
------------/CUT/------------
.
.
As shown up, The script does not properly validate
user-supplied input in 'start' that may allow a remote
user to launch Sql injection attacks. A Registered
user can create specially crafted parameter values
that will execute SQL commands on the underlying
database.
Demonstration URL :
-----------------------------
http://example.com/smf/index.php?action=mlist;sa=all;start='[SQL]
Solution:
--------------------
There is no vendor supplied patch for this issue at
this time.
Our recommendation for a temporary fix:
In /Sources/Memberlist.php find these lines:
//-------Start----
if (!is_numeric($_REQUEST['start']))
{
//-------End------
And add these lines after those:
//-------Start----
$Pattern="[A-Za-z]";
if (!eregi($Pattern, $_REQUEST['start'])) die('Hacking
attempt...');
//-------End------
Original Advisory:
--------------------
http://irannetjob.com/content/view/173/28/
Credit :
--------------------
Discovered & released by trueend5 (trueend5 kapda ir)
Security Science Researchers Institute Of Iran
[http://www.KAPDA.ir]
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com