img BBCode XSS and Cookie SQL Injection in EKINboard

Summary

Vulnerability
img BBCode XSS and Cookie SQL Injection in EKINboard
Discovered
2006.02.27
Last Update
2006.03.14 CVE entries added
ID
EV0088
CVE
CVE-2006-1129 CVE-2006-1130
Risk Level
medium
Type
Multiple Vulnerabilities
Status
Patched
Vendor
n/a
Vulnerable Software
EKINboard (http://www.ekinboard.com/)
Version
1.0.3
PoC/Exploit
Available
Solution
Available
Discovered by
Aliaksandr Hartsuyeu (eVuln.com)

Description

Multiple Vulnerabilities found in EKINboard (http://www.ekinboard.com/) script.

1. 'img' BBCode Cross-Site Scripting Vulnerability.

Arbitrary JavaScript code insertion is possible in BBcode [img].

2. Cookie 'username' SQL Injection Vulnerability

Vulnerable Script: config.php

Variables $_COOKIE['username'] $_COOKIE['password'] are not properly sanitized. This can be used to bypass authentication or make any SQL query by injecting arbitrary SQL code.

PoC/Exploit

1. BBCode Cross-Site Scripting Example

[img=javascript:alert(123)]

2. Cookie 'username' SQL Injection Example

Cookie: username=' or 1/*

Cookie: password=[any]

Solution.

Vendor-provided patch is available here:

http://www.ekinboard.com/forums/v1/viewtopic.php?id=469