Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12338
HistoryApr 20, 2006 - 12:00 a.m.

WWWThread RC 3 MultBugs

2006-04-2000:00:00
vulners.com
8
JSON

[code]// — WWWThread RC 3 MultBugs — //

    * D3vil-0x1 | Devil-00
* www.securitygurus.net
* Gr33tz
    - HACKERS PAL | n0m3rcy | -

            &
                            All Others << i forgot them :))

//---------------------------------//

//---------------------------------// [ Bug 1 ] //---------------------------------//

// File name :- register.php
// Bug :- Remote [ _COKKIE['forumreferrer] ] SQL Injection

/* Code
//
if(isset($_COOKIE["forumreferrer"]))
{
$referral_id = $_COOKIE["forumreferrer"];
$result = $db->query('SELECT referral_count FROM '.$db->prefix.'users WHERE id='.$referral_id) or error(mysql_error(), FILE, LINE, $db->error());
list($referral_val) = $db->fetch_row($result);
$rval = $referral_val[0] + 1;
$db->query('UPDATE '.$db->prefix.'users SET referral_count='. $rval . ' WHERE id='.$ referral_id) or error(mysql_error(), FILE, LINE, $db->error());
}
//
*/

Fix :-

/*
$referral_id = intval($_COOKIE["forumreferrer"]);
*/

//---------------------------------// //---------------------------------// //---------------------------------// //---------------------------------// //---------------------------------// //---------------------------------// //---------------------------------// //---------------------------------//

//---------------------------------// [ Bug 2 ] //---------------------------------//

// File name :- message_list.php
// Bug :- Remote SQL Injection

/* Code

if( isset($_POST['delete_messages']) || isset($_POST['delete_messages_comply']) )
{
if( isset($_POST['delete_messages_comply']) )
{
confirm_referrer('message_list.php');
$db->query('DELETE FROM '.$db->prefix.'messages WHERE id IN('.$_POST['messages'].') AND owner= \''.$forum_user['id'].'\'') or error(mysql_error(), FILE, LINE, $db->error());
redirect('message_list.php?box='.$_POST['box'], $lang_pms['Deleted redirect']);
}

*/

// Fix :-

Replace with this code :D

if( isset($_POST['delete_messages']) || isset($_POST['delete_messages_comply']) )
{
if( isset($_POST['delete_messages_comply']) )
{
confirm_referrer('message_list.php');
$db->query('DELETE FROM '.$db->prefix.'messages WHERE id IN('.intval($_POST['messages']).') AND owner= \''.$forum_user['id'].'\'') or error(mysql_error(), FILE, LINE, $db->error());
redirect('message_list.php?box='.$_POST['box'], $lang_pms['Deleted redirect']);
}

// Exploit

  • Resend This Requsit By HTTPLiveHeaders :D -

messages=[SQL]&box=0&delete_messages_comply=Delete
[/code]

JSON