KAPDA New advisory Vendor: http://www.simplemachines.org/ Vulnerable Version:SMF 1.1 rc1, Other versions also may be affected. Bug: SQL Injection Exploitation: Remote with browser Description: -------------------- Simple Machines Forum is a most widely used PHP-based message board system that uses a MySQL database. Vulnerability: -------------------- Lets Look at the Source Code of 'Memberlist.php' : . . ------------/CUT/------------ if (!is_numeric($_REQUEST['start'])) { $request = db_query(" SELECT COUNT(ID_MEMBER) FROM {$db_prefix}members WHERE LOWER(SUBSTRING(realName, 1, 1)) < '" . substr(strtolower($_REQUEST['start']), 0, 1) . "' AND is_activated = 1", __FILE__, __LINE__); list ($_REQUEST['start']) = mysql_fetch_row($request); mysql_free_result($request); } ------------/CUT/------------ . . As shown up, The script does not properly validate user-supplied input in 'start' that may allow a remote user to launch Sql injection attacks. A Registered user can create specially crafted parameter values that will execute SQL commands on the underlying database. Demonstration URL : ----------------------------- http://example.com/smf/index.php?action=mlist;sa=all;start='[SQL] Solution: -------------------- There is no vendor supplied patch for this issue at this time. Our recommendation for a temporary fix: In /Sources/Memberlist.php find these lines: //-------Start---- if (!is_numeric($_REQUEST['start'])) { //-------End------ And add these lines after those: //-------Start---- $Pattern="[A-Za-z]"; if (!eregi($Pattern, $_REQUEST['start'])) die('Hacking attempt...'); //-------End------ Original Advisory: -------------------- http://irannetjob.com/content/view/173/28/ Credit : -------------------- Discovered & released by trueend5 (trueend5 kapda ir) Security Science Researchers Institute Of Iran [http://www.KAPDA.ir] __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
