© 2008 eshu.co.uk - all rights reserved Disclaimer
Home Advisories About
ESHU0602 - Details
YABB SE Double Encoded "user" Parameter SQL Injection

Affected Product

Affected Version
Versions <= 1.55

Affected Vendor
The YABB SE Team

Vendor Response
None (Product Discontinued)

Disclosure Timeline
2005.06.26 - Vulnerabiliity Discovered
2005.06.27 - Vendor found to have discontinued support
2006.06.23 - Public Disclosure

Vulnerability Details
The vulnerability exists where the user supplied variable $user is processed by the urldecode() function twice, this allows for the %2527 (decodes to %27 decodes to ') SQL injection technique.

It is recomended that if you insist on continuing the use of this product, you remove the line which reads "$user = urldecode($user);" from all functions in "\sources\proflie.php".

Original Disclosure