subject:"\[Full\-disclosure\] \[CVE\-2014\-2339\] GNUboard SQL Injection Vulnerability"

[Full-disclosure] [CVE-2014-2339] GNUboard SQL Injection Vulnerability

2014-03-17 Thread claepo.wang

==Advisory: GNUboard SQL Injection VulnerabilityAuthor: [email protected] Version: GNUboard5(the latest version)Vendor URL: http://sir.co.kr/Vendor Status: Unfixed(I know little about Korean, so i do not know how to describe this vul to the vendor.)==Vulnerability Description==Recently, I found several vulnerabilities in the famous Korean forum program - the GNUboard.Vulnerable file: /bbs/ajax.autosave.phpinclude_once('./_common.php');//global filter on $_GET,$_POST,$_COOKIE,$_REQUESTif (!$is_member) die('0');//member login$uid     = trim($_REQUEST['uid']); //current user id$subject = trim(stripslashes($_REQUEST['subject']));  //stripslashes ignores the global filter causes a SQL Inj.$content = trim(stripslashes($_REQUEST['content']));  //same aboveif ($subject && $content) {    $sql = " select count(*) as cnt from {$g5['autosave_table']} where mb_id = '{$member['mb_id']}' and as_subject = '$subject' and as_content = '$content' ";    $row = sql_fetch($sql); //the bad str($subject|$content) insert into sql query    if (!$row['cnt']) {        $sql = " insert into {$g5['autosave_table']} set mb_id = '{$member['mb_id']}', as_uid = '{$uid}', as_subject = '$subject', as_content = '$content', as_datetime = '".G5_TIME_YMDHIS."' on duplicate key update as_subject = '$subject', as_content = '$content', as_datetime = '".G5_TIME_YMDHIS."' ";        $result = sql_query($sql, false);  // database select        echo autosave_count($member['mb_id']);    }}?>==POC && EXP==1. Login as a member2. GET http://target/bbs/ajax.autosave.php?content=1&subject=1[inj_exp] 	{exp can be found on my server: http://pandas.pw/gnuboard.exp}    3. Page returns 1062 : Duplicate entry ~admin~*FF6F916236F4FFEE8FADD21EC20216C5C3A04E50~1' for key 'group_key'.

gnuboard-kr.txt
Description: Binary data
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [CVE-2014-2339] GNUboard SQL Injection Vulnerability

2014-03-14 Thread claepo.wang

==Advisory: GNUboard SQL Injection Vulnerability
Author: [email protected]
Affected Version: GNUboard5(the latest version)
Vendor URL: http://sir.co.kr/
Vendor Status: Unfixed(I know little about Korean，so i do not know how to describe this vul to the vendor.)==
Vulnerability Description
==

Recently, I found several vulnerabilities in the famous Korean forum program - the GNUboard.Vulnerable file: /bbs/ajax.autosave.phpsubject|$content) insert into sql queryif (!$row['cnt']) {
$sql = " insert into {$g5['autosave_table']} set mb_id = '{$member['mb_id']}', as_uid = '{$uid}', as_subject = '$subject', as_content = '$content', as_datetime = '".G5_TIME_YMDHIS."' on duplicate key update as_subject = '$subject', as_content = '$content', as_datetime = '".G5_TIME_YMDHIS."' ";
$result = sql_query($sql, false);  // database select

echo autosave_count($member['mb_id']);
}
}
?>

==
POC && EXP
==
1. Login as a member2. GET http://target/bbs/ajax.autosave.php?content=1&subject=1[inj_exp] 	{exp can be found on my server: http://pandas.pw/gnuboard.exp}3. Page returns 1062 : Duplicate entry ~admin~*FF6F916236F4FFEE8FADD21EC20216C5C3A04E50~1' for key 'group_key’ .Done!  Thx a lot!___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [CVE-2014-2339] GNUboard SQL Injection Vulnerability

[Full-disclosure] [CVE-2014-2339] GNUboard SQL Injection Vulnerability

2 matches

Site Navigation

Mail list logo

Footer information