########################## WwW.BugReport.ir ########################################### # # BugReport Security Research & Penetration Testing Group # # Title: [Sky Portal] Multiple SQL Injection Vulnerabilities # Vendor: http://skyportal.net # Exploitation: Remote with browser # Fix Available: Patched In Last Version In Vendor ####################################################################################### # Leaders : Shahin Ramezany & Sorush Dalili # Team Members: Alireza Hasani ,Amir Hossein Khonakdar, Hamid Farhadi # Security Site: WwW.BugReport.ir - WwW.AmnPardaz.Com # Country: Iran # Contact : admin@bugreport.ir ######################## Bug Description ########################### Description: -------------------- A Lot Of Sql Injection Found And We Exploit One Of them A Registered User Can Change His/Her Name And Read All Other's Private Messages. Vulnerabilities: -------------------- +--> Multiple SQL Injection Vulnerabilities nc_top.asp Line 59 strDBNTFUserName = Mitoone injection bezane be functione line 60 iani isMbr() >>> test.htm but !??! this function is very crazy! -------------------------- user can delete all bookmarks inc_bookmarks.asp line 179 delSQL = "DELETE FROM "& strTablePrefix & "BOOKMARKS WHERE BOOKMARK_ID = " & delBkmk(ib) this file use from cp_main.asp --------------------------- inc_profile_functions.asp line 568,570,572,573 --------------------------- user can delete all SUBSCRIPTIONS> inc_SUBSCRIPTIONS.asp line 163 delSQL = "DELETE FROM "& strTablePrefix & "SUBSCRIPTIONS WHERE SUBSCRIPTION_ID = " & delBkmk(ib) executeThis(delSQL) this file use from cp_main.asp -------------------------- Html Exploit ------------------------------
Credit: -------------------- BugReport Security Research & Penetration Testing Group WwW.BugReport.ir # milw0rm.com [2007-11-20]