Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: Frequently Exploited :: bx1160.htm

Woltlab Burning Board 1.0.2 SQL-Injection Vulnerability



Woltlab Burning Board 1.0.2 SQL-Injection Vulnerability
Woltlab Burning Board 1.0.2 SQL-Injection Vulnerability



In Woltlab Burning Board Lite(1.0.2) is a SQL-Injection Vulnerability in file: 
search.php :
Line: 510-515

if(!$savepostids) eval("error(\"".$tpl->get("error_searchnoresult")."\");");
  $result=$db->query_first("SELECT searchid FROM bb".$n."_searchs WHERE 
postids='$savepostids' AND showposts='$_POST[showposts]' AND 
sortby='$_POST[sortby]' AND sortorder='$_POST[sortorder]' AND 
userid='$wbbuserdata[userid]' AND ipaddress='$REMOTE_ADDR'");
  if($result['searchid']) {
   header("Location: 
search.php?searchid=$result[searchid]&sid=$session[hash]");
   exit();
  }

There no addslashes()  in $_POST[showposts], $_POST[sortby]. 
$_POST[sortorder].


== Exploit == 



== Fix =
if(!$savepostids) eval("error(\"".$tpl->get("error_searchnoresult")."\");");
  $result=$db->query_first("SELECT searchid FROM bb".$n."_searchs WHERE 
postids='$savepostids' AND showposts='.addslashes($_POST[showposts]).' AND 
sortby='.addslashes($_POST[sortby]).' AND 
sortorder='.addslashes($_POST[sortorder]).' AND userid='$wbbuserdata[userid]' 
AND ipaddress='$REMOTE_ADDR'");
  if($result['searchid']) {
   header("Location: 
search.php?searchid=$result[searchid]&sid=$session[hash]");
   exit();
  }




TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH