WhiteBoard 0.1.30 - Multiple Blind SQL Injections

Author: Salvatore Fresta
type: webapps
platform: php
port: 
date_added: 2010-07-25 
date_updated: 2010-08-02 
verified: 0 
codes: OSVDB-66626 
tags: 
aliases:  
screenshot_url:  
application_url: http://www.exploit-db.comwhiteboard-0.1.30.zip

WhiteBoard 0.1.30 Multiple Blind SQL Injection Vulnerabilities

 Name              WhiteBoard
 Vendor            http://sarosoftware.com
 Versions Affected 0.1.30

 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2010-07-24

X. INDEX

 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX


I. ABOUT THE APPLICATION
________________________

WhiteBoard  is  a  fast,  powerful, and free open source
discussion board solution.  The project started in March
of 2007,  and  its  recent release is the culmination of
three  years of hard work. Developed by a Zend Certified
PHP  Engineer,   this  discussion  board  uses  advanced
algorithms  and  features  which  previously  were  only
available in paid discussion board solutions.


II. DESCRIPTION
_______________

Some  parameters  in  controlpanel.php  are not properly
sanitised before being used in SQL queries.


III. ANALYSIS
_____________

Summary:

 A) Multiple Blind SQL Injection


A) Multiple Blind SQL Injection
______________________

The  parameters  email and displayname  sent via POST to
controlpanel.php are not properly sanitised before being
used in a SQL query. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.

Successful exploitation  requires that "magic_quotes_gpc"
is disabled.


IV. SAMPLE CODE
_______________

A) Multiple Blind SQL Injection

1 - Login as a normal user.
2 - Go to index.php?act=controlPanel

Try the following code as "Display Name" or "E-mail":

' OR (SELECT(IF(ASCII(0x41) = 65,BENCHMARK(999999999,NULL),NULL)))#


V. FIX
______

No fix.