CVE-2009-3804
published 2009-10-27CVE-2009-3804: Multiple SQL injection vulnerabilities in modules/forum/post.php in RunCMS 2M1 allow remote authenticated users to execute arbitrary SQL commands via (1) the…
PriorityP335medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
0.81%
52.2th percentile
Multiple SQL injection vulnerabilities in modules/forum/post.php in RunCMS 2M1 allow remote authenticated users to execute arbitrary SQL commands via (1) the pid parameter, which is not properly handled by the store function in modules/forum/class/class.forumposts.php, or (2) the topic_id parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| runcms | runcms | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
RunCMS 2m1 - 'store()' SQL Injection
exploitdb·2009-10-26
CVE-2009-3804 RunCMS 2m1 - 'store()' SQL Injection
RunCMS 2m1 - 'store()' SQL Injection
---
post_id.",
pid=".$this->pid.",
topic_id=".$this->topic_id.",
forum_id=".$this->forum_id.",
post_time=$datetime,
uid=".$this->uid.",
poster_ip='".$this->poster_ip."',
subject='".$subject."',
post_text='".$post_text."',
allow_html=".intval($this->allow_html).",
allow_smileys=".intval($this->allow_smileys).",
allow_bbcode=".intval($this->allow_bbcode).",
type='".$this->type."',
icon='".$this->icon."',
has_attachment=".intval($this->has_attachment).",
is_approved=".intval($this->is_approved).",
anon_uname='".$this->anon_uname."',
attachsig=".$this->attachsig."";
if ( !$result = $db->query($sql) ) {
...
this function is called by /modules/forum/post.php near lines 153-158:
...
$postid = $forumpost->store();
if ($isreply == 1) {
$sql = "SELECT t.top
Exploit-DB
RunCMS - 'forum' SQL Injection
exploitdb·2009-10-26
CVE-2009-3804 RunCMS - 'forum' SQL Injection
RunCMS - 'forum' SQL Injection
---
source: https://www.securityfocus.com/bid/36816/info
RunCMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
query($sql)) {
redirect_header("index.php", 2, _MD_CANTGETFORUM);
exit();
}
...
'forum' variable is taken from $_POST[] array and inserted in a sql query without
prior santization and without being surrounded by quotes.
Then you can subsequently manipulate this query in /modules/forum/class/class.permissions.php by
passing
another 'UNION SELECT' as first argument of the 'UNION SELECT' passed to po
No writeups or analysis indexed.
2009-10-27
Published