Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

SQL Injection Vulnerability In IBProArcade

from [mike bailey] Network Security [Permanent Link]
Subject: SQL Injection Vulnerability In IBProArcade
Date: 31 Dec 2004 13:19:01 -0000 


A flaw exists in the high scores module of IbProArcade which allows malicious 
SQL Code to be executed on the database the board & arcade use.

Demo: http://www.ibproarcade.com/index.php?act=Arcade&do=stats&gameid=104FOO

Fix this vuln by following the following directions...

open your sources/Arcade.php file

Find this code bit:

[code]       //----------------------------------------
       // Show_Stats
       //
       // This shows the leaderboard
       //
       //----------------------------------------

       function show_stats() {

               global $ibforums, $DB, $std;[/code]


Directly under that, add..

[code]if(!is_numeric($ibforums->input['gameid']))
          {
               $std->Error( array( 'LEVEL' => 1, 'MSG' => 'dont_try_it') );
          }[/code]


then open up your lang/en/lang_Arcade.php file scroll down to the bottom where 
you will find

[code] );

?>[/code]


right above that, add this:

[code]
#security
dont_try_it             => "I don't think so annie."[/code]

And you're set.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • SQL Injection Vulnerability In IBProArcade, mike bailey <=
Previous by Date:  MDKSA-2004:166 - Updated tetex packages fix multiple vulnerabilities, Mandrake Linux Security Team
Next by Date:  [EXPL] (MS04-031) NetDDE buffer overflow vulnerability PoC, houseofdabus HOD
Previous by Thread:  MDKSA-2004:166 - Updated tetex packages fix multiple vulnerabilities, Mandrake Linux Security Team
Next by Thread:  [EXPL] (MS04-031) NetDDE buffer overflow vulnerability PoC, houseofdabus HOD
Indexes:  [Date] [Thread] [Top] [All Lists]