from:"tk"

[TKADV2005-12-001] Multiple SQL Injection vulnerabilities in MyBB

2005-12-23 Thread tk


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Advisory:Multiple SQL Injection vulnerabilities in MyBB
Name:TKADV2005-12-001
Revision:1.0  
Release Date:2005/12/23 
Last Modified:   2005/12/23 
Date Reported:   2005/11/07
Author:  Tobias Klein (tk at trapkit.de)
Affected Software:   MyBB (all versions = MyBB PR2 Rev.686) 
Risk:Critical (x) High ( ) Medium ( ) Low ( )  
Vendor URL:  http://www.mybboard.com/ 
Vendor Status:   Vendor has released an updated version 


= 
Overview:
= 

  MyBB is a powerful, efficient and free forum package developed in 
  PHP and MySQL. 

  Version MyBB PR2 Rev.686 and prior contain multiple SQL Injection 
  vulnerabilities.
 

==
Vulnerability details: 
==

Some of the following vulnerabilities can be successfully exploited
by every anonymous guest user of MyBB. To exploit the other issues
a registered user account is needed. Because of that all 
vulnerabilities are rated with a high probability of occurrence.

Every single SQL injection issue that is described in the following
allows a full compromise of a MyBB installation (f.e. steal or 
[re]set the administrator password). PoC code has been developed 
but won't be released to the public.

For a description of the calculation of the resulting threat of a 
vulnerability see reference [3]. 


[1] SQL Injection

Possible damage:   Critical
Probability of occurrence: High
Resulting threat:  Critical

HTTP method: POST

Vulnerability description:

  MyBB is prone to a SQL injection vulnerability. This issue is due
  to a lack of proper sanitization of user-supplied input before
  using it in an SQL query.

  Successful exploitation could result in a compromise of the 
  application, disclosure or modification of data, or may permit an 
  attacker to exploit vulnerabilities in the underlying database 
  implementation.
  
  This vulnerability can be successfully exploited by any anonymous
  guest user of MyBB.

Vulnerable URL:

[path_to_mybb]/calendar.php?action=addevent

Vulnerable POST parameter: month

Proof of Concept (POST request):

  POST [path_to_mybb]/calendar.php HTTP/1.1

  Parameter   | Value
  
  month   | 11[SQL]
  day | 11
  year| 2005
  subject | test
  description | test
  action  | do_addevent


[2] SQL Injection

Possible damage:   Critical
Probability of occurrence: High
Resulting threat:  Critical

HTTP method: POST

Vulnerability description:

  MyBB is prone to a SQL injection vulnerability. This issue is due
  to a lack of proper sanitization of user-supplied input before
  using it in an SQL query.

  Successful exploitation could result in a compromise of the 
  application, disclosure or modification of data, or may permit an 
  attacker to exploit vulnerabilities in the underlying database 
  implementation.
  
  This vulnerability can be successfully exploited by any anonymous
  guest user of MyBB.

Vulnerable URL:

[path_to_mybb]/calendar.php?action=addevent

Vulnerable POST parameter: day

Proof of Concept (POST request):

  POST [path_to_mybb]/calendar.php HTTP/1.1
  
  Parameter   | Value
  
  month   | 11
  day | 11[SQL]
  year| 2005
  subject | test
  description | test
  action  | do_addevent


[3] SQL Injection

Possible damage:   Critical
Probability of occurrence: High
Resulting threat:  Critical

HTTP method: POST

Vulnerability description:

  MyBB is prone to a SQL injection vulnerability. This issue is due
  to a lack of proper sanitization of user-supplied input before
  using it in an SQL query.

  Successful exploitation could result in a compromise of the 
  application, disclosure or modification of data, or may permit an 
  attacker to exploit vulnerabilities in the underlying database 
  implementation.
  
  This vulnerability can be successfully exploited by any anonymous
  guest user of MyBB.

Vulnerable URL:

[path_to_mybb]/calendar.php?action=addevent

Vulnerable POST parameter: year

Proof of Concept (POST request):

  POST [path_to_mybb]/calendar.php HTTP/1.1

  Parameter   | Value
  
  month   | 11
  day | 11
  year| 2005[SQL]
  subject | test
  description | test
  action  | do_addevent


[4] SQL Injection

Possible damage:   Critical
Probability of occurrence: High
Resulting threat:  Critical

HTTP method: POST

Vulnerability description:

  MyBB is prone to a SQL injection vulnerability. This issue is due
  to a lack of proper sanitization of user-supplied input before
  using it in an SQL query.

  Successful exploitation could result

[TKPN2005-12-001] Multiple critical vulnerabilities in MyBB

2005-12-09 Thread tk


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Patch Notification:  Multiple critical vulnerabilities in MyBB
Name:TKPN2005-12-001
Revision:1.0  
Release Date:2005/12/09 
Last Modified:   2005/12/09 
Date Reported:   2005/11/07
Author:  Tobias Klein (tk at trapkit.de)
Affected Software:   MyBB (all versions = MyBB PR2 Rev.686) 
Risk:Critical (x) High ( ) Medium ( ) Low ( )  
Vendor URL:  http://www.mybboard.com/ 
Vendor Status:   Vendor has released an updated version


= 
Overview:
= 

  MyBB is a powerful, efficient and free forum package developed in 
  PHP and MySQL. 

  Version MyBB PR2 Rev.686 and prior contain multiple critical 
  vulnerabilities. It is possible to fully compromise a MyBB
  installation.

  Some of the vulnerabilities can be successfully exploited by every
  anonymous guest user of MyBB.

  I'm going to withhold details of these flaws for two weeks. Full 
  details will be published on the 23th December 2005. This two week
  window will allow users of MyBB the time needed to apply the 
  patches before the details are released to the general public.


= 
Solution: 
=

  Upgrade to MyBB 1.0 or newer.

  http://www.mybboard.com/downloads.php


=== 
References: 
===

  [1] http://community.mybboard.net/showthread.php?tid=5184
  [2] http://www.trapkit.de/advisories/TKPN2005-12-001.txt


== 
PGP Signature Key: 
==

  http://www.trapkit.de/advisories/tk-advisories-signature-key.asc


Copyright 2005 Tobias Klein. All rights reserved.

-BEGIN PGP SIGNATURE-
Version: PGP 8.1

iQA/AwUBQ5nalpF8YHACG4RBEQJU+gCgve8h6iwhiQP1LUxppV5pBA6ed+UAn0PG
x2bnhD1scK/VkHBC1qJ1uUP1
=vAAJ
-END PGP SIGNATURE-

[TKADV2005-11-004] Multiple Cross Site Scripting vulnerabilities in phpMyFAQ

2005-11-19 Thread tk


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Advisory:Multiple Cross Site Scripting vulnerabilities in
 phpMyFAQ
Name:TKADV2005-11-004
Revision:1.0  
Release Date:2005/11/19 
Last Modified:   2005/11/19 
Author:  Tobias Klein (tk at trapkit.de)
Affected Software:   phpMyFAQ (all versions = phpMyFAQ 1.5.3) 
Risk:Critical ( ) High (x) Medium ( ) Low ( )  
Vendor URL:  http://www.phpmyfaq.de/ 
Vendor Status:   Vendor has released an updated version  


= 
Overview:
= 

  phpMyFAQ is a multilingual, completely database-driven FAQ-system.

  Version 1.5.3 and prior contain multiple persistent Cross Site 
  Scripting vulnerabilities. 
  

= 
Solution: 
=

  Upgrade to phpMyFAQ 1.5.4 or newer.
  
  http://www.phpmyfaq.de/download.php
  
  
For more details see: 

  http://www.trapkit.de/advisories/TKADV2005-11-004.txt
  

-BEGIN PGP SIGNATURE-
Version: PGP 8.1

iQA/AwUBQ392HJF8YHACG4RBEQKmkwCfVT7mGy0M2gclF60c6k2QNRYgL3IAoPC7
Q9va6jZFp+mJS94hk+8LcRkQ
=HLVb
-END PGP SIGNATURE-

[TKADV2005-11-001] Multiple vulnerabilities in PHPlist

2005-11-07 Thread tk


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Advisory:Multiple vulnerabilities in PHPlist   
Name:TKADV2005-11-001
Revision:1.0  
Release Date:2005/11/07 
Last Modified:   2005/11/07 
Author:  Tobias Klein (tk at trapkit.de)
Affected Software:   PHPlist (all versions = 2.10.1) 
Risk:Critical ( ) High (x) Medium (x) Low (x) 
Vendor URL:  http://www.phplist.com/ 
Vendor Status:   Vendor has released an updated version 


= 
Overview:
= 

  PHPlist is a double opt-in newsletter manager. It is written in 
  PHP and uses a SQL database for storing the information.

  Version 2.10.1 and prior contain multiple Cross Site Scripting 
  and SQL Injection vulnerabilities. Furthermore it is possible to
  access and read arbitrary system files through a vulnerability in
  PHPlist.


= 
Solution: 
=

  Upgrade to PHPlist 2.10.2 or newer.
  
  http://www.phplist.com/files/
  

For more technical details see: 

  http://www.trapkit.de/advisories/TKADV2005-11-001.txt


-BEGIN PGP SIGNATURE-
Version: PGP 8.1

iQA/AwUBQ2+xMpF8YHACG4RBEQLokQCg7cyW6AfrNYY7WZ06mPBrH3uos/cAn06l
roUuWofKu3koFc4l62Za1mEY
=rRgy
-END PGP SIGNATURE-

[TKADV2005-12-001] Multiple SQL Injection vulnerabilities in MyBB

[TKPN2005-12-001] Multiple critical vulnerabilities in MyBB

[TKADV2005-11-004] Multiple Cross Site Scripting vulnerabilities in phpMyFAQ

[TKADV2005-11-001] Multiple vulnerabilities in PHPlist

4 matches

Site Navigation

Mail list logo

Footer information