========================================================= Affected.scr..: SoftBB <= 0.1 Advisory.ID...: 10060904 Type..........: SQL Injection, Php code execution, FPD Risk.level....: High Vendor.Status.: Patched Src.download..: http://www.softbb.be/ Adv.link......: acid-root.new.fr/advisories/10060904.txt ========================================================= ==[ OVERVIEW ============ Si vous cherchez un forum le plus léger possible, et pas seulement au nombre de Ko pris sur votre espace web, mais surtout, comme on a tendance à l'oublier, au nombre de requêtes mysql générées par page. Ne cherchez plus, vous avez trouvé. (Il s’agit évidement de gentilles requêtes, je ne réduis pas pour réduire).[...] [Quote from www.softbb.be] ==[ DETAILS =========== Many vulnerabilities have been discovered in SoftBB v0.1. 1)Input passed to the "groupe" parameter in /addmembre.php isn't properly sanitised before being used in a SQL query (without quote). Input passed to the "select" parameter in /moveto.php isn't properly sanitised before being used in a SQL query (with quote). These bug can be exploited to conduct SQL injection attacks. 2)Input passed to multiple parameters in admin/save_opt.php is not properly sanitised before being stored in a PHP script (without quote). This can be exploited to execute arbitrary PHP code. Successful exploitation may require administrator's rights. 3)Input passed to the "page" parameter in index.php do not properly handle empty or invalid parameters. This can be exploited to determine the installation path. ==[ POC/EXPLOIT =============== GET index.php DATA ?page[]=mp http://acid-root.new.fr/poc/11060904.txt ==[ SOLUTION ============ Edit the source code to ensure that input is properly verified. ==[ TIMELINE ============ 04. Sept. 2006 - Public Disclosure ==[ CONTACT =========== Author: DarkFig Web...: www.acid-root.new.fr E-mail: gmdarkfig[*]gmail[*]com (fr/en)