---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_vacancies/ Secunia is looking for new researchers with a reversing background and experience in writing exploit code: http://secunia.com/hardcore_disassembler_and_reverse_engineer/ http://secunia.com/Disassembling_og_Reversing/ http://secunia.com/Linux_Security_Specialist/ ---------------------------------------------------------------------- TITLE: IceBB Avatar SQL Injection and PHP Code Execution SECUNIA ADVISORY ID: SA24644 VERIFY ADVISORY: http://secunia.com/advisories/24644/ CRITICAL: Highly critical IMPACT: Manipulation of data, System access WHERE: >From remote SOFTWARE: IceBB 1.x http://secunia.com/product/13782/ DESCRIPTION: Hessam-x has discovered some vulnerabilities in IceBB, which can be exploited by malicious users to conduct SQL injection attacks and compromise a vulnerable system. 1) The avatar upload function does not properly verify the file type of uploaded avatars. This can be exploited to execute arbitrary PHP code by uploading malicious PHP files. 2) The filename of uploaded avatars is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting SQL code. Successful exploitation allows an attacker to gain administrator privileges, but requires that "magic_quotes_gpc" is disabled. The vulnerabilities are confirmed in version 1.0-rc5. Other versions may also be affected. SOLUTION: Edit the source code to ensure that the name and the type of files are properly sanitised and verified. PROVIDED AND/OR DISCOVERED BY: Hessam-x ORIGINAL ADVISORY: http://milw0rm.com/exploits/3580 http://milw0rm.com/exploits/3581 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------