My Little Forum SQL Injection Vulnerability in Bookmark Reordering Feature

A SQL injection vulnerability has been identified in My Little Forum versions prior to 2.5.12. This vulnerability allows authenticated users to execute arbitrary SQL commands through the bookmark reordering feature. The issue arises in the 'includes/bookmark.inc.php' file, where the 'bookmarks' POST parameter is processed. Although the input is intended to be sanitized, the escaping is ineffective, leaving the application vulnerable to SQL injection. Exploitation of this vulnerability could lead to a complete compromise of the application's database, allowing attackers to read, modify, or delete all data.

Impact

Exploitation of this vulnerability allows for authenticated SQL injection, enabling low-privileged users to read, modify, or delete all database data, including user credentials and private messages.

Reproduction

To reproduce this vulnerability, log into a My Little Forum instance prior to version 2.5.12. Once logged in, send a POST request to 'index.php' with the 'mode' parameter set to 'bookmarks', the 'action' parameter set to 'reorder', and the 'bookmarks' parameter containing a crafted SQL payload, such as '1) AND (SELECT SLEEP(5))-- -'. This payload exploits the SQL injection vulnerability by injecting SQL code that is executed by the database, in this case, causing a delay of 5 seconds.

Remediation

Users can upgrade to My Little Forum version 2.5.12 or later, where this vulnerability has been patched.