Multiple XSS and SQL Injection in aWebBB
Summary
- Vulnerability
- Multiple XSS and SQL Injection in aWebBB
- Discovered
- 2006.04.01
- Last Update
- 2006.04.11 Exploitation code published
- ID
- EV0117
- CVE
- CVE-2006-1637 CVE-2006-1638
- Risk Level
- medium
- Type
- Multiple Vulnerabilities
- Status
- Unpatched. Vendor notyfied.
- Vendor
- n/a
- Vulnerable Software
- aWebBB (http://labs.aweb.com.au/)
- Version
- 1.2
- PoC/Exploit
- Available
- Solution
- Not available
- Discovered by
- Aliaksandr Hartsuyeu (eVuln.com)
Description
Multiple Vulnerabilities found in aWebBB (http://labs.aweb.com.au/) script.
1. Multiple Cross-Site Scripting Vulnerabilities.
Vulnerable Scripts:
post.php
register.php
editac.php
Parameters tname(post.php), fpost(post.php), fullname(editac.php), emailadd(editac.php), country(editac.php), sig(editac.php), otherav(editac.php), fullname(register.php), emailadd(register.php), country(register.php) are not properly sanitized. All BBCodes are not properly sanitized too.
This can be used to post arbitrary HTML or web script code.
2. Multiple SQL Injections.
Vulnerable scripts:
accounts.php
changep.php
dpost.php ($_GET[p])
editac.php
feedback.php
fpass.php
list.php ($_GET[c])
login.php
ndis.php id,c
post.php
reply.php
reply_log.php
search.php q
Parameters $Username(accounts.php, changep.php, editac.php, feedback.php, fpass.php, login.php, post.php, reply.php, reply_log.php), p(dpost.php), c(list.php,ndis.php), q(search.php) are not properly sanitized before being used in SQL queries. This can be used to make any SQL query by injecting arbitrary SQL code.
Condition: magic_quotes_gpc = off
PoC/Exploit
XSS Example:
URL: http://[host]/post.php?c=
New Forum Thread:
Thread Name: [XSS]
Thread Text: [XSS]
BBCode XSS Examples:
<a href=javascript:alert(1)>linked text</a>
<a href=www.website.com onmouseover="alert(2)">linked text</a>
2. SQL Injection Example.
URL: http://[host]/dpost.php?p=asddd'%20union%20select%201,2,3,4,5,6,7,8,9,10/*
Solution.
Solution for "Multiple XSS and SQL Injection in aWebBB" is not available. Check vendor's website for updates.