|
|
|
|
| |
Credit:
The information has been provided by Secunia Research.
The original article can be found at: http://secunia.com/secunia_research/2006-44/advisory/
|
| |
Vulnerable Systems:
* DeluxeBB version 1.06
1) Input passed to the "templatefolder" parameter in various scripts isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from external and local resources.
Examples:
http://[host]/templates/deluxe/postreply.php?templatefolder=[file]
http://[host]/templates/deluxe/posting.php?templatefolder=[file]
http://[host]/templates/deluxe/pm/newpm.php?templatefolder=[file]
http://[host]/templates/default/postreply.php?templatefolder=[file]
http://[host]/templates/default/posting.php?templatefolder=[file]
http://[host]/templates/default/pm/newpm.php?templatefolder=[file]
Successful exploitation requires that "register_globals" is enabled.
2) Input passed to the "hideemail", "languagex", "xthetimeoffset", and "xthetimeformat" parameters when registering for an account isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation requires that "magic_quotes_gpc" is disabled.
The vulnerabilities have been confirmed in version 1.06. Other versions may also be affected.
Solution:
Edit the source code to ensure that input is properly sanitised and verified.
Time Table:
26/05/2006 - Initial vendor notification.
14/06/2006 - Public disclosure.
CVE Information:
CVE-2006-2914, CVE-2006-2915
|
|
|
|
|
