Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12374
HistoryApr 22, 2006 - 12:00 a.m.

[Full-disclosure] vBulletin <= 3.5.4 with MKPortal 1.1 Remote SQL Injection Vulnerability.

2006-04-2200:00:00
vulners.com
11

–Security Report–
Advisory: vBulletin <= 3.5.4 with MKPortal 1.1 Remote SQL Injection
Vulnerability.

Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI

Date: 21/04/06 22:36 PM

Contacts:{
ICQ: 10072
MSN/Email: [email protected]
Web: http://www.nukedx.com
}

Vendor: MKPortal (http://www.mkportal.it/&#41;
Version: 1.1 RC1 and prior versions must be affected. (Runs on vBulletin!)
About: Via this methods remote attacker can inject arbitrary SQL queries to
ind parameter in index.php of MKPortal.
Vulnerable code can be found in the file
mkportal/include/VB/vb_board_functions.php at line 35-37, as you can see it
easy to
by pass this SQL update function.
Also there is cross-site scripting vulnerability in pm_popup.php the
parameters u1,m1,m2,m3,m4 did not sanitized properly.
Level: Critical

How&Example:
SQL Injection :

GET -> http://[victim]/[mkportaldir]/index.php?ind=[SQL]
EXAMPLE -> http://[victim]/[mkportaldir]/index.php?ind=',userid='1
So with this example remote attacker updates his session's userid to 1 and
after refreshing the page he can logs as userid 1.

XSS:
GET ->

http://[victim]/[mkportaldir]/includes/pm_popup.php?u1=[XSS]&m1=[XSS]&m2=[XSS]&m3=[XSS]&m4=[XSS]


Timeline:

  • 21/04/2006: Vulnerability found.
  • 21/04/2006: Contacted with vendor and waiting reply.

Exploit:
http://www.nukedx.com/?getxpl=26

Dorks: "MKPortal 1.1 RC1"

Original advisory can be found at: http://www.nukedx.com/?viewdoc=26


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/