[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] [bWM#015] SQL-Injection @ Woltlab BurningBoard + MOD Guthabenhack 1.3
- To: full-disclosure@lists.netsys.com
- Subject: [Full-Disclosure] [bWM#015] SQL-Injection @ Woltlab BurningBoard + MOD Guthabenhack 1.3
- From: ben.moeckel@badwebmasters.net
- Date: Sun, 3 Aug 2003 05:02:01 -0700
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.0.6336.0">
<TITLE>[Full-Disclosure] [bWM#015] SQL-Injection @ Woltlab Burning Board + MOD Guthabenhack 1.3</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<BR>
<P><FONT SIZE=2>badWebMasters security advisory #015<BR>
<BR>
SQL-Injection @ Woltlab Burning Board + MOD Guthabenhack 1.3<BR>
<BR>
<BR>
Discovery date: 2003-07-28<BR>
<BR>
Original advisory:<BR>
<A HREF="http://badwebmasters.net/advisory/015/";>http://badwebmasters.net/advisory/015/</A> (text/html)<BR>
<BR>
<BR>
Legal Notice:<BR>
Copyright 2003 by Benjamin Klimmek (ben moeckel - badWebMasters)!<BR>
You may distribute it unmodified.<BR>
You may not modify it and distribute it or distribute parts of it<BR>
without giving credits and the URL where the original advisory can be<BR>
found!<BR>
This document may change without notice.<BR>
<BR>
<BR>
Author:<BR>
ben moeckel (<A HREF="http://distressed.de";>http://distressed.de</A>)<BR>
mailto: badwebmasters@online.de<BR>
<BR>
<BR>
Description:<BR>
With the "Guthaben hack" (that includes Zwerg's "User Werben Hack" 3.0)<BR>
for Woltlab Burning Board you can get credits for promoting new members.<BR>
The new user may add the promoter's ID into the registration form, so he<BR>
can get his credits.<BR>
<BR>
Due to an input validation bug the "User Werben"-MOD is vulnerable to an<BR>
sql-injection attack. This makes it possible for an malicious user to<BR>
gain admin rights.<BR>
<BR>
<BR>
Exploit:<BR>
The field got a maxlength-value of 10, so the attacker may use IE +<BR>
javascript to inject the sql-string:<BR>
<BR>
javascript:x=document.forms[0].geworbenv;x.value=",<BR>
groupid=1";alert(x.value);<BR>
<BR>
<BR>
Vendor:<BR>
Vendor has been contacted by php-masta, no reply received.<BR>
<BR>
<BR>
Thanks:<BR>
php-masta (php-masta.net) for inviting me to join his board ;)<BR>
<BR>
<BR>
Feedback:<BR>
Comments, suggestions, updates, anything else?<BR>
-> <A HREF="mailto:badwebmasters@online.de";>mailto:badwebmasters@online.de</A><BR>
<BR>
<BR>
__________________________________________<BR>
<BR>
badWebMasters - ben moeckel security research<BR>
<A HREF="http://badwebmasters.de";>http://badwebmasters.de</A> <A HREF="http://badwebmasters.net";>http://badwebmasters.net</A><BR>
copyright 2k1-3 by Benjamin Klimmek / Germany<BR>
<A HREF="mailto:badwebmasters@online.de";>mailto:badwebmasters@online.de</A><BR>
_______________________________________________<BR>
Full-Disclosure - We believe in it.<BR>
Charter: <A HREF="http://lists.netsys.com/full-disclosure-charter.html";>http://lists.netsys.com/full-disclosure-charter.html</A><BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>