Multiple XSS and SQL Injection in aWebBB

Summary

Vulnerability
Multiple XSS and SQL Injection in aWebBB
Discovered
2006.04.01
Last Update
2006.04.11 Exploitation code published
ID
EV0117
CVE
CVE-2006-1637 CVE-2006-1638
Risk Level
medium
Type
Multiple Vulnerabilities
Status
Unpatched. Vendor notyfied.
Vendor
n/a
Vulnerable Software
aWebBB (http://labs.aweb.com.au/)
Version
1.2
PoC/Exploit
Available
Solution
Not available
Discovered by
Aliaksandr Hartsuyeu (eVuln.com)

Description

Multiple Vulnerabilities found in aWebBB (http://labs.aweb.com.au/) script.

1. Multiple Cross-Site Scripting Vulnerabilities.

Vulnerable Scripts:
post.php
register.php
editac.php

Parameters tname(post.php), fpost(post.php), fullname(editac.php), emailadd(editac.php), country(editac.php), sig(editac.php), otherav(editac.php), fullname(register.php), emailadd(register.php), country(register.php) are not properly sanitized. All BBCodes are not properly sanitized too.
This can be used to post arbitrary HTML or web script code.


2. Multiple SQL Injections.

Vulnerable scripts:
accounts.php
changep.php
dpost.php ($_GET[p])
editac.php
feedback.php
fpass.php
list.php ($_GET[c])
login.php
ndis.php id,c
post.php
reply.php
reply_log.php
search.php q


Parameters $Username(accounts.php, changep.php, editac.php, feedback.php, fpass.php, login.php, post.php, reply.php, reply_log.php), p(dpost.php), c(list.php,ndis.php), q(search.php) are not properly sanitized before being used in SQL queries. This can be used to make any SQL query by injecting arbitrary SQL code.

Condition: magic_quotes_gpc = off

PoC/Exploit

XSS Example:

URL: http://[host]/post.php?c=
New Forum Thread:
Thread Name: [XSS]
Thread Text: [XSS]


BBCode XSS Examples:

<a href=javascript:alert(1)>linked text</a>
<a href=www.website.com onmouseover="alert(2)">linked text</a>


2. SQL Injection Example.

URL: http://[host]/dpost.php?p=asddd'%20union%20select%201,2,3,4,5,6,7,8,9,10/*

Solution.

Solution for "Multiple XSS and SQL Injection in aWebBB" is not available. Check vendor's website for updates.

Order Source Code Testing

Check a site by source code review of your website done by eVuln team.The work will be done by experts in web application security.

Website Monitoring

Daily malware scanning. Allows to receive alerts about security problems in your website.
Details >>

Malicious redirects detected?

eVuln team will eliminate the reason, clean your website and monitor it.
Details >>

Website blacklisted?

eVuln team will clean your website, discover and fix security holes, remove from blacklists.
Details >>