SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   CoolForum Vendors:   coolforum.net
CoolForum Input Validation Flaws Permit SQL Injection and Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1013474
SecurityTracker URL:  http://securitytracker.com/id/1013474
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 18 2005
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 0.8 and prior versions
Description:   Romano_45 reported several input validation vulnerabilities in CoolForum. A remote user can conduct cross-site scripting attacks. A remote user can also inject SQL commands.

The 'avatar.php' script does not properly validate user-supplied input in the 'img' parameter. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the CoolForum software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

avatar.php?img=<script>alert(document.cookie)</script>

The 'admin/entete.php' script does not properly validate user-supplied input in the 'pseudo' parameter. A remote user can submit a specially crafted HTTP POST request to inject SQL commands. If magic_quotes is set to 'off', this vulnerability can be exploited. Some demonstration exploit examples are provided:

'or 1=1 into outfile '/repertoire/du/site/cf_users.txt

'Union SELECT options,valeur,0,0,0 FROM CF_config into outfile
'/reperoire/serveur/cf_config.txt

The 'register.php' page in version 0.8 does not properly validate the user-supplied 'login' parameter. If the 'confirmation by mail' option is enabled, a remote user can supply a specially crafted URL to execute SQL commands on the underlying database.

A demonstration exploit URL is provided:

http://[target]/register.php?action=confirm&login='or 1=1 into outfile
'/var/www/html/cf_users_with_magic_quotes_on.txt

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the CoolForum software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can execute SQL commands on the underlying database.

Solution:   The vendor has released a fixed version (0.8.1), available at:

http://www.coolforum.net/index.php?p=dlcoolforum

Vendor URL:  www.coolforum.net/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Failles CoolForum 0.8




**********
- XSS Non permanent (toutes versions)
- Injection SQL avec ou sans magic_quotes mais l'option de configuration du 
forum "Confirmation des inscriptions par mail"


*********

1) XSS non permanent :
----------------------

Il suffit donc de faire : 
avatar.php?img=<script>alert(document.cookie)</script>


----------------

Page : admin/entete.php


la variable pseudo du formulaire :
'or 1=1 into outfile '/repertoire/du/site/cf_users.txt

Ou par exemple pour extraire la table de configuration on peut faire :
'Union SELECT options,valeur,0,0,0 FROM CF_config  into outfile 
'/reperoire/serveur/cf_config.txt


3) Injection SQL avec ou sans magic_quote mais avec l'option de confirmation 
--------------------------------------------------------------------------------------------

Page register.php :



http://[target]/register.php?action=confirm&login='or 1=1 into outfile 
'/var/www/html/cf_users_with_magic_quotes_on.txt

Pour copier le contenu de la table users dans le fichier texte.

**************



*********

Romano <romano_45@hotmail.com>

_________________________________________________________________
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC