Yxbbs3.0 two Injection Vulnerabilities

Release: Xiaoqiang

Affected Versions:
Yxbbs3.0
Vulnerability description:
During User Registration, yxbbs checks whether the user name already exists and whether the user name is valid in real time. However, during the detection, the server does not check the data submitted by the user. This is a user-friendly function, introduced an injection point. The specific file "See. asp" does not check the name = unescape (Request ("name") submitted by the user. Test URL:

Http://www.yimxu.com/bbs/See.Asp? Action = CheckName & name = yxbbs and (select top 1 asc (mid (password, 1, 1) from yx_admin)> 56 and 1 = 1

// Officially repaired

 

Second:

In Usersetup. asp, a numeric variable is used as a text check and filtered, resulting in an SQL injection vulnerability.
The problem lies in Sex = yxbbs. Fun. GetStr ("Sex"), which defines the GetStr method in Yx_Cls.asp,
In fact, for normal injection, only single quotation marks are effectively filtered. The SQL statement execution is involved if no Sex test is performed below:
YxBBs.exe cute ("update [YX_User] set Birthday =" & Birthday & ", Sex =" & Sex & ", PicW =" & PicW &", picH = "& PicH &", Mail = "& Mail &", QQ = "& QQ &", Honor = "& Honor &", Pic = "& PicUrl &", home = "& Home &", Sign = "& Sign &", IsQQpic = "& IsQQpic &" where name = "& YxBBs. myName & "And Password =" & YxBBs. myPwd &"")
If the mssql database version supports multi-step statements, this vulnerability is fatal. If the access version is used, the harm is much lower, that is, modifying the parameters. For example, if you can add some deposits to your bank, the sex is 1 and BankSave = 9999999. After the information is modified, the bank deposits will change to 9999999.