[IceBB]

# Author: __GiReX__ 26/07/08

# Homepage: # CMS: IceBB input; $g)

{

...

$where_clauses[] = "{$k}="{$g}""; qwhere = implode(" AND ",$where_clauses);

$total = $db->fetch_result("SELECT COUNT(*) as total FROM icebb_users{$this->qwhere}{$qextra}"); eatCookie("uid");

$login_key = $std->eatCookie("login_key");$icebb->hooks->hook("login_autoLogin", $uid, $login_key);$userq = $db->query("SELECT u.*,g.* FROM icebb_users AS u LEFT JOIN icebb_groups AS g ON u.user_group=g.gid WHERE u.id=".intval($uid)." AND u.login_key="{$login_key}" LIMIT 1");

$udata = $db->fetch_row($userq);if($db->get_num_rows($userq)>=1)

{

if($std->eatCookie("pass")==$udata["password"])

{

$sessid = md5(uniqid(microtime()));

$ip = $icebb->client_ip;

$user_agent = $std->clean_string($_SERVER["HTTP_USER_AGENT"]);//$db->query("DELETE FROM icebb_session_data WHERE username="{$udata["username"]}" OR ip="{$ip}"",1);175. $sessdata = $this->create_session($udata["username"],$udata["id"],false,true);

If admin has cookies enabled we can login and create/edit/delete posts and topics.############################### Perl Exploit Start #############################

#!/usr/bin/perl

# IceBB