YABB SE Double Encoded "user" Parameter SQL Injection
Affected Product
YABB SE
Affected Version
Versions <= 1.55
Affected Vendor
The YABB SE Team
Vendor Response
None (Product Discontinued)
Disclosure Timeline
2005.06.26 - Vulnerabiliity Discovered
2005.06.27 - Vendor found to have discontinued support
2006.06.23 - Public Disclosure
Vulnerability Details
The vulnerability exists where the user supplied variable $user is processed by the urldecode() function twice, this allows for the %2527 (decodes to %27 decodes to ') SQL injection technique.
Patch
It is recomended that if you insist on continuing the use of this product, you remove the line which reads "$user = urldecode($user);" from all functions in "\sources\proflie.php".
Original Disclosure
http://seclists.org/fulldisclosure/2006/Jun/0752.html
|
|