Discuz nds-ques-viewanswer Plugin SQL Injection Scanner

Discuz! is a widely-used community forum software system that facilitates online discussions and community building. It is used by a diverse range of communities including hobbyists, clubs, organizations, and businesses. The software provides various features for user engagement such as forums, polls, and private messaging. Discuz! is frequently used in regions where community interaction and user engagement are pivotal. Organizations use Discuz! to foster online discussions and maintain user-generated content. Its flexibility and user-friendly interface make it a popular choice for setting up and managing forums.

The SQL Injection vulnerability detected in the Discuz! nds_ques_viewanswer plugin is a critical security concern. SQL Injection happens when an attacker can submit arbitrary SQL statements through input fields, which are then executed by the database. This specific vulnerability allows attackers to manipulate the SQL queries made by the plugin. As a result, attackers can execute arbitrary SQL code and gain access to sensitive database information. The vulnerability is particularly severe as it can lead to unauthorized data exposure, data modification, or even full control over the database by malicious users.

Technical details of the vulnerability indicate that it resides in the plugin parameter "srchtxt" of the `nds_ques_viewanswer` component. The vulnerable endpoint is susceptible because it performs unsafe handling of user input during SQL query execution. The template attempts a basic SQL Injection attack by exploiting the "orderby" parameter using a crafted payload. The payload is designed to leverage the updatexml function in the SQL database to reveal whether the injection was successful. A response with a specific hash value indicates a successful injection, confirming the presence of the vulnerability.

Exploitation of this SQL Injection vulnerability may lead to several severe consequences. Attackers who successfully exploit this flaw can retrieve sensitive information such as user credentials, private messages, or other database content. They might also modify or delete database records, disrupting the forum's functionality and trust. In extreme cases, attackers can escalate the attack to gain administrative privileges or insert damaging scripts that could compromise the entire server hosting the forum. Additionally, this could lead to reputational damage and loss of trust among community members.

REFERENCES

• http://discuz.net/