header-logo
Suggest Exploit
vendor:
BMForum
by:
Stephan Sattler
9
CVSS
HIGH
SQL Injection
89
CWE
Product Name: BMForum
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2020

SQL Injection in BMForum

BMForum is vulnerable to an SQL injection attack due to the lack of sanitization of the user-supplied input in the 'forumid' parameter of the js_viewnew.php script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious SQL code in the 'forumid' parameter. This can allow the attacker to gain access to sensitive information stored in the database, such as user credentials.

Mitigation:

To mitigate this vulnerability, the application should sanitize all user-supplied input before using it in an SQL query.
Source

Exploit-DB raw data:

# Author: Stephan Sattler
# Software Website: http://www.bmforum.com/
# Software Link: http://www.bmforum.com/down/
# Required: magic quotes = Off

[ Vulnerability ]
 
 /add-on/js_viewnew.php line 20++:

$length = $_GET['length'];
$forumid = $_GET['forumid'];
$num = $_GET['num'];
$forumnum=$forumid;

{....}

$query = "SELECT * FROM {$database_up}threads WHERE forumid='$forumid' ORDER BY 'changetime' DESC LIMIT 0,$num";

#Explanation:

$forumid($_GET['forumid']) isn't sanitized at all, an attacker could use this for an SQL-Injection.

#Example for an injection:

http://[site]/[folder]/js_viewnew.php?forumid=2'+AnD+1='1&num=1&length=1

Navigation

Suggest Exploit

Services By CQR