Vulnerability: YourOwnBux 4.0 (COOKIE) Remote SQL Injection Vulnerability Date: 2008.10.09 Risk Level: High Credit: Tec-n0x CVE ID: CVE-2008-4492 CWE ID: CWE-89 CVSS Base Score: 7.5/10 - Exploit range: Remote - Confidentiality impact: Partial Impact Subscore: 6.4/10 - Attack complexity: Low - Integrity impact: Partial Exploitability Subscore: 10/10 - Authentication: No required - Availability impact: Partial Vulnerability Description: Application: YourOwnBux version 4.0 Affected File: referrals.php Vulnerability Type: Blind SQL Injection Proof of Concept (PoC): Exploitation Steps: Modify the cookie value by appending SQL injection payload. Extract user information, including SHA1 hashes, using blind SQL injection techniques. The complete exploit will be available on DropSec.com the following week. References: http://www.securityfocus.com/bid/31624 http://www.milw0rm.com/exploits/6693