WhiteBoard 0.1.30 Multiple Blind SQL Injection Vulnerabilities
<!DOCTYPE HTML PUBLIC ‘-//W3C//DTD HTML 4.01 Transitional//EN’><html><head><meta http-equiv=’Content-Type’ content=’text/html; charset=windows-1251′><title>WhiteBoard 0.1.30 Multiple Blind SQL Injection Vulnerabilities</title><link rel=’shortcut icon’ href=’/favicon.ico’ type=’image/x-icon’><link rel=’alternate’ type=’application/rss+xml’ title=’Inj3ct0r RSS’ href=’/rss’></head><body><pre>==============================================================
WhiteBoard 0.1.30 Multiple Blind SQL Injection Vulnerabilities
==============================================================
Name WhiteBoard
Vendor http://sarosoftware.com
Versions Affected 0.1.30
Author Salvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date 2010-07-24
X. INDEX
I. ABOUT THE APPLICATION
II. DESCRIPTION
III. ANALYSIS
IV. SAMPLE CODE
V. FIX
I. ABOUT THE APPLICATION
________________________
WhiteBoard is a fast, powerful, and free open source
discussion board solution. The project started in March
of 2007, and its recent release is the culmination of
three years of hard work. Developed by a Zend Certified
PHP Engineer, this discussion board uses advanced
algorithms and features which previously were only
available in paid discussion board solutions.
II. DESCRIPTION
_______________
Some parameters in controlpanel.php are not properly
sanitised before being used in SQL queries.
III. ANALYSIS
_____________
Summary:
A) Multiple Blind SQL Injection
A) Multiple Blind SQL Injection
______________________
The parameters email and displayname sent via POST to
controlpanel.php are not properly sanitised before being
used in a SQL query. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.
Successful exploitation requires that "magic_quotes_gpc"
is disabled.
IV. SAMPLE CODE
_______________
A) Multiple Blind SQL Injection
1 – Login as a normal user.
2 – Go to index.php?act=controlPanel
Try the following code as "Display Name" or "E-mail":
‘ OR (SELECT(IF(ASCII(0×41) = 65,BENCHMARK(999999999,NULL),NULL)))#
V. FIX
______
No fix.
# <a href=’http://inj3ct0r.com/’>Inj3ct0r.com</a> [2010-07-25]</pre><script type=’text/javascript’>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src=’" + gaJsHost + "google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E"));</script><script type=’text/javascript’>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
Source: http://inj3ct0r.com/exploits/13475
Leave a Reply