WhiteBoard 0.1.30 Multiple Blind SQL Injection Vulnerabilities
Name WhiteBoard
Vendor http://sarosoftware.com
Versions Affected 0.1.30
Author Salvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date 2010-07-24
X. INDEX
I. ABOUT THE APPLICATION
II. DESCRIPTION
III. ANALYSIS
IV. SAMPLE CODE
V. FIX
I. ABOUT THE APPLICATION
________________________
WhiteBoard is a fast, powerful, and free open source
discussion board solution. The project started in March
of 2007, and its recent release is the culmination of
three years of hard work. Developed by a Zend Certified
PHP Engineer, this discussion board uses advanced
algorithms and features which previously were only
available in paid discussion board solutions.
II. DESCRIPTION
_______________
Some parameters in controlpanel.php are not properly
sanitised before being used in SQL queries.
III. ANALYSIS
_____________
Summary:
A) Multiple Blind SQL Injection
A) Multiple Blind SQL Injection
______________________
The parameters email and displayname sent via POST to
controlpanel.php are not properly sanitised before being
used in a SQL query. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.
Successful exploitation requires that "magic_quotes_gpc"
is disabled.
IV. SAMPLE CODE
_______________
A) Multiple Blind SQL Injection
1 - Login as a normal user.
2 - Go to index.php?act=controlPanel
Try the following code as "Display Name" or "E-mail":
' OR (SELECT(IF(ASCII(0x41) = 65,BENCHMARK(999999999,NULL),NULL)))#
V. FIX
______
No fix.
