SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Forum/Board/Portal)  >  CoolForum Vendors:  coolforum.net
CoolForum Input Validation Flaws Permit SQL Injection and Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1013474
SecurityTracker URL:  http://securitytracker.com/id?1013474
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 18 2005
Impact:  Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 0.8 and prior versions
Description:  Romano_45 reported several input validation vulnerabilities in CoolForum. A remote user can conduct cross-site scripting attacks. A remote user can also inject SQL commands.

The 'avatar.php' script does not properly validate user-supplied input in the 'img' parameter. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the CoolForum software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

avatar.php?img=<script>alert(document.cookie)</script>

The 'admin/entete.php' script does not properly validate user-supplied input in the 'pseudo' parameter. A remote user can submit a specially crafted HTTP POST request to inject SQL commands. If magic_quotes is set to 'off', this vulnerability can be exploited. Some demonstration exploit examples are provided:

'or 1=1 into outfile '/repertoire/du/site/cf_users.txt

'Union SELECT options,valeur,0,0,0 FROM CF_config into outfile
'/reperoire/serveur/cf_config.txt

The 'register.php' page in version 0.8 does not properly validate the user-supplied 'login' parameter. If the 'confirmation by mail' option is enabled, a remote user can supply a specially crafted URL to execute SQL commands on the underlying database.

A demonstration exploit URL is provided:

http://[target]/register.php?action=confirm&login='or 1=1 into outfile
'/var/www/html/cf_users_with_magic_quotes_on.txt
Impact:  A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the CoolForum software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can execute SQL commands on the underlying database.
Solution:  The vendor has released a fixed version (0.8.1), available at:

http://www.coolforum.net/index.php?p=dlcoolforum
Vendor URL:  www.coolforum.net/ (Links to External Site)
Cause:  Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  Romano <romano_45@hotmail.com>
Message History:   None.

 Source Message Contents
Date:  Thu, 17 Mar 2005 16:20:22 +0000
From:  Romano <romano_45@hotmail.com>
Subject:  Failles CoolForum 0.8

 
 
 
 
Problème :
**********
- XSS Non permanent (toutes versions)
- Injection SQL si les magic_quotes sont désactivées (toutes version)
- Injection SQL avec ou sans magic_quotes mais l'option de configuration du 
forum "Confirmation des inscriptions par mail"
  doit être activée. (Uniquement 0.8 !)
 
 
Détails :
*********
 
1) XSS non permanent :
----------------------
 
Il suffit donc de faire : 
avatar.php?img=<script>alert(document.cookie)</script>
 
 
2) Injection SQL avec magic_quote désactivées
----------------
 
Page : admin/entete.php
 
Le problème, c'est que $_POST[pseudo] n'est pas filtré.
 
on peut donc sauvegarder la table users en insérant la valeur suivante dans 
la variable pseudo du formulaire :
'or 1=1 into outfile '/repertoire/du/site/cf_users.txt
 
Ou par exemple pour extraire la table de configuration on peut faire :
'Union SELECT options,valeur,0,0,0 FROM CF_config  into outfile 
'/reperoire/serveur/cf_config.txt
 
 
3) Injection SQL avec ou sans magic_quote mais avec l'option de confirmation 
par mail activée :
--------------------------------------------------------------------------------------------
 
Page register.php :
 
 
L'exploitation est strictement la même, il suffit de faire :
 
http://[target]/register.php?action=confirm&login='or 1=1 into outfile 
'/var/www/html/cf_users_with_magic_quotes_on.txt
 
Pour copier le contenu de la table users dans le fichier texte.
 
Sécurisation :
**************
 
Mettre à jour sa version par la 0.8.1
 
 
Crédits :
*********
 
Romano <romano_45@hotmail.com>
 
_________________________________________________________________
MSN Messenger : dialoguez en temps réel avec vos amis ! 
http://g.msn.fr/FR1001/866 la solidarité à portée de click


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2005, SecurityGlobal.net LLC