SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
WLB
Services
RSS
Corporate
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com

Home arrow SecurityAlert Database

Arrow  Topic :

Sql injection in SMF [Admin section]


Arrow  SecurityAlert : 1506
Arrow  CVE : CVE-2006-4564
Arrow  SecurityRisk : Medium  Security Risk Medium  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : No
Arrow  Exploit Available : No
Arrow  Credit : Omid
Arrow  Published : 08.09.2006

Arrow  Affected Software : SMF 1.1 RC3



Arrow  Advisory Content :  

Hi,
There is a sql injection in SMF 1.1 RC3, in admin section :
When an administrator is going to add a new board, the "cur_cat" parameter
is not checked properly :

File /Sources/ManageBoards.php, Line 609 :
:: // Create a new board...
:: if (isset($_POST['add']))
:: {
:: // New boards by default go to the bottom of the category.
:: if (empty($_POST['new_cat']))
<span class="quotelev2">>> $boardOptions['target_category'] =
$_POST['cur_cat'];
</span>
:: if (!isset($boardOptions['move_to']))
:: $boardOptions['move_to'] = 'bottom';
::
<span class="quotelev2">>> createBoard($boardOptions);
</span>
:: }

And in "createBoard()" function :

File /Sources/Subs-Boards.php, Line 1095 :
:: // Insert a board, the settings are dealt with later.
:: db_query("
:: INSERT INTO {$db_prefix}boards
:: (ID_CAT, name, description, boardOrder, memberGroups)
<span class="quotelev2">>> VALUES ($boardOptions[target_category],
SUBSTRING('$boardOptions[board_name]', 1, 255), '', 0, '-1,0')", __FILE__,
__LINE__);
</span>
This is in administration section, so it doesnt seem to be critical.

- Omid





Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc:fts_*() Multiple Denial of Service

Security Risk Medium- 2009-10-02

The fts functions are provided for traversing UNIX file hierarchies...

Apache RSS Apache Alert

» Apache 1.3.41 mod_proxy
   Integer overflow (code
   execution)

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion in work
   directory

» Apache Tomcat 6.0.20 and
   5.5.28 insecure partial
   deploy after failed
   undeploy

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion and/or
   alteration

PHP RSS PHP Alert

» PHP 5.2.12/5.3.1
   session.save_path
   safe_mode and
   open_basedir bypass

» PHP 5.2.12/5.3.1 Multiple
   Vulnerabilities

» PHP 5.2.11 libgd multiple
   vulnerabilities

» PHP 5.2.11 tempnam()
   safe_mode bypass

Copyright © SecurityReason.com. All Rights Reserved.