Multiple Vulnerabilities in Skate Board

Summary

Vulnerability
Multiple Vulnerabilities in Skate Board
Discovered
2006.02.17
Last Update
2006.02.27 Exploitation code published
ID
EV0084
CVE
CVE-2006-0809 CVE-2006-0810 CVE-2006-0811
Risk Level
high
Type
Multiple Vulnerabilities
Status
Unpatched. No reply from developer(s)
Vendor
n/a
Vulnerable Software
Skate Board (http://bb.jiraiya.se/main.php?content=start)
Version
0.9
PoC/Exploit
Available
Solution
Not available
Discovered by
Aliaksandr Hartsuyeu (eVuln.com)

Description

Multiple Vulnerabilities found in Skate Board (http://bb.jiraiya.se/main.php?content=start) script.

1. SQL Injection.

Vulnerable script: includes/root/sendpass.php

Variable $_POST[usern] isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code.

Condition: magic_quotes_gpc - off

2. Authentication Bypass.

Vulnerable scripts: includes/root/login.phpincludes/root/logged.php

Variables $_POST[usern] $_POST[passwd] $_COOKIE[sf_cookie] are not properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code and make authorization bypass.

Condition: magic_quotes_gpc - off

3. PHP Code Injection.

Administrator has an ability to edit values of variables in config.php This can be used to inject arbitrary PHP code.

System access is possible.

4. Multiple Cross-Site Scripting.

Vulnerable script: includes/root/reguser.php

All user-defined data from registration form isn't properly sanitized. This can be used to inject arbitrary html or script code.

PoC/Exploit

1. SQL Injection Example

Url: http://[host]/index.php?act=lostpass

Username: aaa' union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20/*

2. Authentication Bypass.

a) From login form:

username: [username]' and 1/*

password: any

b) Cookie value

Cookie: sf_cookie=admin%27+and+1%2F%2A%3Basd

3. PHP Code Injection Example.

Min user chars is: 3; [code]

4. Multiple Cross-Site Scripting.

url: http://[host]/index.php?act=register

username: [XSS]

Full Name: [XSS]

Location: [XSS]

ICQ: [XSS]

Yahoo: [XSS]

Solution.

Solution for "Multiple Vulnerabilities in Skate Board" is not available. Check vendor's website for updates.