Sql injection in SMF [Admin section]

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Sql injection in SMF [Admin section]
From: "Omid" <omid@xxxxxxxxxx>
Date: Sat, 02 Sep 2006 01:04:20 +0430
Importance: Normal
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Hackers.ir/1.0

Hi,
There is a sql injection in SMF 1.1 RC3, in admin section :
When an administrator is going to add a new board, the "cur_cat" parameter
is not checked properly :

File /Sources/ManageBoards.php, Line 609 :
:: // Create a new board...
:: if (isset($_POST['add']))
:: {
::      // New boards by default go to the bottom of the category.
::      if (empty($_POST['new_cat']))
>>              $boardOptions['target_category'] = $_POST['cur_cat'];
::      if (!isset($boardOptions['move_to']))
::              $boardOptions['move_to'] = 'bottom';
:: 
>>      createBoard($boardOptions);
:: }

And in "createBoard()" function :

File /Sources/Subs-Boards.php, Line 1095 :
:: // Insert a board, the settings are dealt with later.
:: db_query("
::      INSERT INTO {$db_prefix}boards
::              (ID_CAT, name, description, boardOrder, memberGroups)
>>      VALUES ($boardOptions[target_category], 
>> SUBSTRING('$boardOptions[board_name]', 1, 255), '', 0, '-1,0')", __FILE__, 
>> __LINE__);

This is in administration section, so it doesnt seem to be critical.


- Omid

Prev by Date: Icblogger <= "YID" Remote Blind SQL Injection
Next by Date: Sql injections in e107 [Admin section]
Previous by thread: Icblogger <= "YID" Remote Blind SQL Injection
Next by thread: Sql injections in e107 [Admin section]
Index(es):
- Date
- Thread