Papoo Multiple SQL vuln.

Papoo Multiple SQL vuln.

###############################################
Vuln. discovered by : r0t
Date: 10 april 2006
vendor:http://www.papoo.de/
affected versions: 2.1.5 & 3 beta1 and previous
###############################################

Vuln. description:

Papoo contains a flaw that allows a remote sql injection
attacks.Inputpassed to the "getlang","reporeid" parameters in "
index.php" and Input passed to the "msgid" ,"menuid" parameters in "
forumthread.php" and Input passed to the "menuid" parameter in "plugin.php"
isn't properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples:

/index.php?getlang=[SQL]
/plugin.php?menuid=[SQL]
/index.php?menuid=&reporeid=[SQL]
/forumthread.php?forumid=1&menuid=1&rootid=9895&msgid=[SQL]
/forumthread.php?forumid=1&menuid=[SQL]

###############################################

Aditional info: I did discovered and reported about some sql vulns in Papoo
2.1.2 @ 21.december 2005, and nothing was fixed.
Than Dj_Eyes, Crouz Security Team. had discovered similar vuln.It was in
2.1.4 version @ 2006-02-09…

So, i didnt check if old reported bugs are fixed, just saw that "menuid" is
still good one:)

So, GreetZ to Vendors!

here u got refs:

http://pridels.blogspot.com/2005/12/papoo-multiple-sql-vuln.html
http://secunia.com/advisories/18152/

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/