=========================================================
 Affected.scr..: SoftBB <= 0.1
 Advisory.ID...: 10060904
 Type..........: SQL Injection, Php code execution, FPD
 Risk.level....: High
 Vendor.Status.: Patched
 Src.download..: http://www.softbb.be/
 Adv.link......: acid-root.new.fr/advisories/10060904.txt
 =========================================================


==[ OVERVIEW
============
Si vous cherchez un forum le plus léger possible, et pas seulement
au nombre de Ko pris sur votre espace web, mais surtout, comme on
a tendance à l'oublier, au nombre de requêtes mysql générées par page.
Ne cherchez plus, vous avez trouvé. (Il s’agit évidement de gentilles
requêtes, je ne réduis pas pour réduire).[...]
[Quote from www.softbb.be]


==[ DETAILS
===========
Many vulnerabilities have been discovered in SoftBB v0.1.

1)Input passed to the "groupe" parameter in /addmembre.php isn't
properly sanitised before being used in a SQL query (without quote).
Input passed to the "select" parameter in /moveto.php isn't
properly sanitised before being used in a SQL query (with quote).
These bug can be exploited to conduct SQL injection attacks.

2)Input passed to multiple parameters in admin/save_opt.php is
not properly sanitised before being stored in a PHP script
(without quote). This can be exploited to execute arbitrary PHP
code. Successful exploitation may require administrator's rights.

3)Input passed to the "page" parameter in index.php do not properly
handle empty or invalid parameters. This can be exploited to
determine the installation path.


==[ POC/EXPLOIT
===============
GET index.php DATA ?page[]=mp
http://acid-root.new.fr/poc/11060904.txt


==[ SOLUTION
============
Edit the source code to ensure that input is properly verified.


==[ TIMELINE
============
04. Sept. 2006 - Public Disclosure


==[ CONTACT
===========
Author: DarkFig
Web...: www.acid-root.new.fr
E-mail: gmdarkfig[*]gmail[*]com (fr/en)