PHP Code Execution and Multiple XSS in FreeForum
Summary
- Vulnerability
- PHP Code Execution and Multiple XSS in FreeForum
- Discovered
- 2006.02.27
- Last Update
- 2006.03.09 Exploitation code published
- ID
- EV0089
- CVE
- CVE-2006-0957 CVE-2006-0958
- Risk Level
- high
- Type
- Multiple Vulnerabilities
- Status
- Patched
- Vendor
- ZoneO-Soft (http://soft.zoneo.net/)
- Vulnerable Software
- FreeForum (http://soft.zoneo.net/freeForum/)
- Version
- 1.2
- PoC/Exploit
- Available
- Solution
- Available
- Discovered by
- Aliaksandr Hartsuyeu (eVuln.com)
Description
Multiple Vulnerabilities found in FreeForum (http://soft.zoneo.net/freeForum/) script.
1. PHP Code Execution Vulnerability.
Vulnerable Script: func.inc.php
Variables $_SERVER[HTTP_X_FORWARDED_FOR] $_SERVER[HTTP_CLIENT_IP] are not sanitized before being written into 'Data/flood.db.php' file. This can be used to inject arbitrary PHP code by posting HTTP query with fake X-Forwarded-For or Client-ip values.
System access is possible.
2. Multiple Cross-Site Scripting
Vulnerable Script: func.inc.php
Variables $name $subject are not properly sanitized. This can be used to post message with arbitrary HTML or JavaScript code.
PoC/Exploit
1. PHP Code Execution Example.
HTTP Query:
- POST /freeforum/index.php HTTP/1.0
- Host: [host]
- X-Forwarded-For: anyIP<? [code] ?>
- Content-Length: 91
- name=qqq&email=qqq@qqq.com&subject=qqq&text=qqq&mode=postanswer&thread=1&cat=1&submit=Add
2. Cross-Site Scripting Example.
URL: http://[host]/freeforum/index.php
Your name: [XSS]
Subject: [XSS]
Solution.
Vendor-provided solution is available now.
Install or Upgrade to version 1.2.1
http://soft.zoneo.net/freeForum/changes.php