Title : YapBB select("SELECT p.date, t.id, t.description, u.nickname FROM " .
$cfgDatabase['post'] . " AS p, " . $cfgDatabase['topic'] . " AS t, " .
$cfgDatabase['user'] . " AS u WHERE t.id = p.topicid AND p.posterid = $userID AND
u.id = p.posterid GROUP BY p.topicid ORDER BY p.date DESC LIMIT 50"); // execute sql!
-

No words.


I wrote a exploit for getting all YapBB user's nicknames and passwords.
Sorry i can't put exploit in this advisory =)


0x04 Exploit

[x90c@hackzen testbed]$ whoami
x90c
[x90c@hackzen testbed]$


0x05 Patch

~/YapBB-1.2-Beta2/YapBB/find.php:
..
128: $postRes = $postQuery->select("SELECT p.date, t.id, t.description, u.nickname FROM " .
$cfgDatabase['post'] . " AS p, " . $cfgDatabase['topic'] . " AS t, " . $cfgDatabase['user'] .
" AS u WHERE t.id = p.topicid AND p.posterid = '" . addslashes($userID) .
"' AND u.id = p.posterid GROUP BY p.topicid ORDER BY p.date DESC LIMIT 50"); // x90c patch!
..




Thanks!


- Blu3h4t Team in korea