[KAPDA::#16] - SMF SQL Injection

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [KAPDA::#16] - SMF SQL Injection
From: alireza hassani <trueend5@xxxxxxxxx>
Date: Fri, 9 Dec 2005 03:49:27 -0800 (PST)
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=Rjv2QGQXcOXAL+7/Fjwyl7nhj0xM3U47ckXY80l/4561+e5nqSfkfaelCm1LPEnDxEapX+hCKbUVmpM7FuXjMn1lVdnIoo8r6FEBiOONsE//NSnJKbInDIGeBgUIc02nXvOu1AApKfDlQGxWo522yPbLd7Nmsqr2vBOjNGkT1sE= ;
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

KAPDA New advisory

Vendor: http://www.simplemachines.org/
Vulnerable Version:SMF 1.1 rc1, Other versions also
may be affected.
Bug: SQL Injection
Exploitation: Remote with browser

Description:
--------------------
Simple Machines Forum is a most widely used PHP-based
message board system that uses a MySQL database.
 
Vulnerability:
--------------------
Lets Look at the Source Code of 'Memberlist.php' :
.
.
------------/CUT/------------
if (!is_numeric($_REQUEST['start']))
        {
                $request = db_query("
                        SELECT COUNT(ID_MEMBER)
                        FROM {$db_prefix}members
                        WHERE LOWER(SUBSTRING(realName, 1, 1)) < '" .
substr(strtolower($_REQUEST['start']), 0, 1) . "'
                                AND is_activated = 1", __FILE__, __LINE__);
                list ($_REQUEST['start']) =
mysql_fetch_row($request);
                mysql_free_result($request);
        }
------------/CUT/------------
.
.
 
As shown up, The script does not properly validate
user-supplied input in 'start' that may allow a remote
user to launch Sql injection attacks. A Registered
user can create specially crafted parameter values
that will execute SQL commands on the underlying
database.


Demonstration URL :
-----------------------------
http://example.com/smf/index.php?action=mlist;sa=all;start='[SQL]

Solution:
--------------------
There is no vendor supplied patch for this issue at
this time.
Our recommendation for a temporary fix:
In  /Sources/Memberlist.php find these lines: 

//-------Start----
if (!is_numeric($_REQUEST['start']))
        {
//-------End------

And add these lines after those:

//-------Start----
$Pattern="[A-Za-z]";
if (!eregi($Pattern, $_REQUEST['start'])) die('Hacking
attempt...');
//-------End------

Original Advisory:
--------------------
http://irannetjob.com/content/view/173/28/

Credit :
--------------------
Discovered & released by trueend5 (trueend5 kapda ir)
Security Science Researchers Institute Of Iran
[http://www.KAPDA.ir]

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Prev by Date: Re: 3com product security hole
Next by Date: Milliscript 1.4 Multiple Vulnerabilities
Previous by thread: [TKPN2005-12-001] Multiple critical vulnerabilities in MyBB
Next by thread: Re: [KAPDA::#16] - SMF SQL Injection
Index(es):
- Date
- Thread