A vulnerability exists in OpenBB 1.06 that could allow an attacker to manipulate SQL

queries and obtain sensitive information from the database such as the administrator

md5 password hash.
This vulnerability exists because the index.php script of the application does not

sufficiently sanitize the input of the "CID" parameter.

As far as I know this vulnerability can only be exploited if the database server the

forum uses supports the UNION keyword, so it is probably not exploitable with
MySQL 3.x. I have succesfully exploited this issue when using MySQL 4 as the
database server.

Impact
------

If the admin password is weak enough the attacker could crack it using a brute force

password cracker on the hash and get full control over the forum.

Solution
--------

I have notified the OpenBB developers and they have very quickly (a couple of hours,

great work guys!) released a patched version. You can also patch your forum
manually as described in the OpenBB advisory:
[Only registered and activated users can see links]


Cheers,

Niels Teusink

[Only registered and activated users can see links]