WWWThread RC 3 MultBugs

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: WWWThread RC 3 MultBugs
From: o.y.6@xxxxxxxxxxx
Date: 19 Apr 2006 19:01:08 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

[code]// --- WWWThread RC 3 MultBugs --- //

        * D3vil-0x1 | Devil-00
    * www.securitygurus.net
    * Gr33tz
        - HACKERS PAL | n0m3rcy | -

                &
                                All Others << i forgot them :))

//---------------------------------//

//---------------------------------// [ Bug 1 ] 
//---------------------------------//

// File name :- register.php
// Bug :- Remote [ _COKKIE['forumreferrer] ] SQL Injection

/* Code
        //
if(isset($_COOKIE["forumreferrer"]))
        {
                $referral_id = $_COOKIE["forumreferrer"];
                $result = $db->query('SELECT referral_count FROM 
'.$db->prefix.'users WHERE id='.$referral_id)            or 
error(mysql_error(), __FILE__, __LINE__, $db->error());
                list($referral_val) = $db->fetch_row($result);
                $rval = $referral_val[0] + 1;
                $db->query('UPDATE '.$db->prefix.'users SET referral_count='. 
$rval . ' WHERE id='.$                              referral_id) or 
error(mysql_error(), __FILE__, __LINE__, $db->error());
        }
    //
*/

Fix :-

/*
$referral_id = intval($_COOKIE["forumreferrer"]);
*/


//---------------------------------// //---------------------------------// 
//---------------------------------// //---------------------------------// 
//---------------------------------// //---------------------------------// 
//---------------------------------// //---------------------------------//

//---------------------------------//  [ Bug 2 ] 
//---------------------------------//

// File name :- message_list.php
// Bug :- Remote SQL Injection

/* Code

if( isset($_POST['delete_messages']) || isset($_POST['delete_messages_comply']) 
)
{
        if( isset($_POST['delete_messages_comply']) )
        {
                confirm_referrer('message_list.php');
                $db->query('DELETE FROM '.$db->prefix.'messages WHERE id 
IN('.$_POST['messages'].') AND owner=                  
\''.$forum_user['id'].'\'') or error(mysql_error(), __FILE__, __LINE__, 
$db->error());
                redirect('message_list.php?box='.$_POST['box'], 
$lang_pms['Deleted redirect']);
        }

*/

// Fix :-

Replace with this code :D

if( isset($_POST['delete_messages']) || isset($_POST['delete_messages_comply']) 
)
{
        if( isset($_POST['delete_messages_comply']) )
        {
                confirm_referrer('message_list.php');
                $db->query('DELETE FROM '.$db->prefix.'messages WHERE id 
IN('.intval($_POST['messages']).') AND owner=                  
\''.$forum_user['id'].'\'') or error(mysql_error(), __FILE__, __LINE__, 
$db->error());
                redirect('message_list.php?box='.$_POST['box'], 
$lang_pms['Deleted redirect']);
        }

// Exploit

- Resend This Requsit By HTTPLiveHeaders :D -

messages=[SQL]&box=0&delete_messages_comply=Delete
[/code]

Prev by Date: Fortinet28 box does not resist has small synflood!
Next by Date: Re: Multiple Vulnerabilities in LucidCMS
Previous by thread: Fortinet28 box does not resist has small synflood!
Next by thread: Tlen.PL e-mail XSS vulnerability.
Index(es):
- Date
- Thread