Thread Rating:
  • 8 Vote(s) - 2.5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[For 1.6] Advanced Forum Signatures [Latest Version: 2.0.4]
This user has been denied support. This user has been denied support.
This plugin has a SQL injection vulnerability that allows anyone to gain admin permissions.

In signature.php
   $db->query("UPDATE ".TABLE_PREFIX."users SET `afs_type`='{$mybb->input['afs_type']}', [...]

The inputs aren't escaped so anyone can for example change the admin users password.

Original exploit was posted here

http://www.smoothblog.co.uk/2011/10/11/h...injection/
turkish utf8 not support :@
yes turkish utf8 not support

this screenshot


Attached Files Thumbnail(s)
   
Is there a way to fix the security vulnerability in this plugin?
ple help me, vietnamese utf8 not support.
Great plugin Smile

UTF8 support there yet ?
(2011-10-12, 10:41 AM)frostschutz Wrote: This plugin has a SQL injection vulnerability that allows anyone to gain admin permissions.

In signature.php
   $db->query("UPDATE ".TABLE_PREFIX."users SET `afs_type`='{$mybb->input['afs_type']}', [...]

The inputs aren't escaped so anyone can for example change the admin users password.

Original exploit was posted here

http://www.smoothblog.co.uk/2011/10/11/h...injection/

Is there a way to fix this yet? I can't use it until this is fixed!
I fold for team 52482. Do you fold?
Open th root file, find:
$db->query("UPDATE ".TABLE_PREFIX."users SET `afs_type`='{$mybb->input['afs_type']}', `afs_background`='{$mybb->input['afs_background']}', `afs_showonline`={$mybb->input['afs_showonline']}, `afs_full_line1`='{$mybb->input['afs_full_line1']}', `afs_full_line2`='{$mybb->input['afs_full_line2']}', `afs_full_line3`='{$mybb->input['afs_full_line3']}', `afs_full_line4`='{$mybb->input['afs_full_line4']}', `afs_full_line5`='{$mybb->input['afs_full_line5']}', `afs_full_line6`='{$mybb->input['afs_full_line6']}', `afs_bar_left`='{$mybb->input['afs_bar_left']}', `afs_bar_center`='{$mybb->input['afs_bar_center']}', `afs_bar_right`='{$mybb->input['afs_bar_right']}' WHERE `uid`='{$mybb->user['uid']}';");

Change for this:
$db->query("UPDATE ".TABLE_PREFIX."users SET `afs_type`='{$db->escape_string($mybb->input['afs_type'])}', `afs_background`='{$db->escape_string($mybb->input['afs_background'])}', `afs_showonline`={$db->escape_string($mybb->input['afs_showonline'])}, `afs_full_line1`='{$db->escape_string($mybb->input['afs_full_line1'])}', `afs_full_line2`='{$db->escape_string($mybb->input['afs_full_line2'])}', `afs_full_line3`='{$db->escape_string($mybb->input['afs_full_line3'])}', `afs_full_line4`='{$db->escape_string($mybb->input['afs_full_line4'])}', `afs_full_line5`='{$db->escape_string($mybb->input['afs_full_line5'])}', `afs_full_line6`='{$db->escape_string($mybb->input['afs_full_line6'])}', `afs_bar_left`='{$db->escape_string($mybb->input['afs_bar_left'])}', `afs_bar_center`='{$db->escape_string($mybb->input['afs_bar_center'])}', `afs_bar_right`='{$db->escape_string($mybb->input['afs_bar_right'])}' WHERE `uid`='{$mybb->user['uid']}';");
Thanks Omar! I'll gladly use this plugin now!
I fold for team 52482. Do you fold?


Forum Jump:


Users browsing this thread: 1 Guest(s)