by r0t,der4444,cembo,VietMafia

Monday, November 28, 2005

SocketKB 1.1.x Vuln.

SocketKB 1.1.x Vuln.

Vuln. dicovered by : r0t
Date: 29 nov. 2005
Vendor:http://www.socketkb.com
affected version: 1.1.0 and prior

Product Description:
Deploy a fast, powerful and professional knowledge base on your website. Setup in minutes. Give your customers answers to their problems fast! Reduce support resources and time significantly. Feature rich, flexible and easy to manage. Support unlimited users, categories, articles and attachments. Allow you to create unlimited user groups. Fast category listing engine, tested with over 1300 categories. You have total control. Knowledge base can be restricted to Members Only or open to public. Option to allow access to specific category for certain groups. Great design, allow you to set icons to categories and articles. Visitor may post comments, questions and rate articles. Powerful WYSIWYG editor for you to create articles. Support unlimited and multiple level of administrators. SocketKB empowers you with the right tools.

Vuln. description:

1.
Input passed to the "node" and "art_id" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/?__f=category&node=[SQL]
/?__f=rating_add&art_id=[SQL]

2.
Input passed to the "?__f" parameter isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from local resources.

Successful exploitation requires that "magic_quotes_gpc" is disabled.


Solution:
Edit the source code to ensure that input is properly sanitised.

0 Comments:

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew