Sponsored by: █ Sparkhost - Hosting Without Compromises! █ Hybrid Performance Web Hosting █ Spark Host Stream Hosting █ Hybrid IRC & IRCd Server Shell Accounts
Phpbb Sql Injection Exploit
Posted 11 November 2003 - 06:40 AM
* phpBB version 2.0.5 and prior
* phpBB version 2.0.6
phpBB has a list of registered users, when you click on a member of this list, you request data from the database.
This URL shows the information for the user with the uid = 2 (the uid is a number assigned to users in phpBB). The content of the 'u' variable isn't filtered for malicious contents.
An attacker could inject arbitrary SQL commands into the system's database.
Upgrade to version 2.0.6 of phpBB, as the version is immune to this issue.
Posted 11 November 2003 - 11:33 AM
Couldn't think of any good sql code in less than 25 characters, but maybe that's because I got this huge headache
Posted 19 December 2003 - 11:39 PM
Posted 20 December 2003 - 12:18 PM
Posted 26 February 2004 - 11:52 PM
Love this small Japaneese admin ))
Posted 25 April 2004 - 04:18 AM
i have had such an attack on my forum and the malicious attacker changed my passwords etc locking me out of my own forum.
the only good solution that exists in protecting your forum from such attacks is to get the newer version of phpbb or just moving on to a better script like invision boards like the one GSO uses.
Posted 13 June 2004 - 09:02 AM
they must of lost alot of respect for this one.
select * from users; would give you the hash of the password, no?
Posted 23 June 2004 - 01:29 PM
Posted 25 June 2004 - 05:42 AM
so, please help me
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users