|
|
|
|
| |
Credit:
The information has been provided by Secunia Research.
The original article can be found at: http://secunia.com/secunia_research/2008-15/
|
| |
Vulnerable Systems:
* TorrentTrader version 1.08 Classic Edition released before 2008-06-17
Immune Systems:
* TorrentTrader version 1.08 Classic Edition released on 2008-06-17
Multiple vulnerabilities have been discovered in TorrentTrader:
1) Input passed to the "email" and "wantusername" parameters in account-signup.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation of this vulnerability allows e.g. retrieval of administrator password hashes, but requires that "magic_quotes_gpc" is disabled and that the site is not configured as invite-only.
2) Input passed to the "receiver" parameter in account-inbox.php (when "msg" is set) is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation of this vulnerability requires valid user credentials and that "magic_quotes_gpc" is disabled.
Solution:
Update to TorrentTrader 1.08 Classic Edition downloaded on 2008-06-17 or later.
Time Table:
10/06/2008: Contacted the vendor.
17/06/2008: Contacted the vendor again.
17/06/2008: Vendor asks for PoC.
17/06/2008: Sent PoC to the vendor.
17/06/2008: Vendor releases a fixed version.
18/06/2008: Public disclosure.
CVE Information:
CVE-2008-2428
|
|
|
|
|
