Home page logo

bugtraq logo Bugtraq mailing list archives

[KAPDA::#16] - SMF SQL Injection
From: alireza hassani <trueend5 () yahoo com>
Date: Fri, 9 Dec 2005 03:49:27 -0800 (PST)

KAPDA New advisory

Vendor: http://www.simplemachines.org/
Vulnerable Version:SMF 1.1 rc1, Other versions also
may be affected.
Bug: SQL Injection
Exploitation: Remote with browser

Simple Machines Forum is a most widely used PHP-based
message board system that uses a MySQL database.
Lets Look at the Source Code of 'Memberlist.php' :
if (!is_numeric($_REQUEST['start']))
                $request = db_query("
                        SELECT COUNT(ID_MEMBER)
                        FROM {$db_prefix}members
                        WHERE LOWER(SUBSTRING(realName, 1, 1)) < '" .
substr(strtolower($_REQUEST['start']), 0, 1) . "'
                                AND is_activated = 1", __FILE__, __LINE__);
                list ($_REQUEST['start']) =
As shown up, The script does not properly validate
user-supplied input in 'start' that may allow a remote
user to launch Sql injection attacks. A Registered
user can create specially crafted parameter values
that will execute SQL commands on the underlying

Demonstration URL :

There is no vendor supplied patch for this issue at
this time.
Our recommendation for a temporary fix:
In  /Sources/Memberlist.php find these lines: 

if (!is_numeric($_REQUEST['start']))

And add these lines after those:

if (!eregi($Pattern, $_REQUEST['start'])) die('Hacking

Original Advisory:

Credit :
Discovered & released by trueend5 (trueend5 kapda ir)
Security Science Researchers Institute Of Iran

Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]