#########################################################
class-1 Forum Software Cross site scripting.
Original advisore:http://lostmon.blogspot.com/2005/07/
class-1-forum-software-cross-site.html
Vendor url:http://www.class1web.co.uk/download_forum.php
Vendor notify: yes exploit available: yes
OSVDB ID:17920,17921,17922,17923
Secunia: SA16078
BID: 14261
Securitytracker: 1014485 1014486
##########################################################
class-1 Forum Software is a PHP/MySQL driven web forum
class-1 Forum contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application
does not validate 'viewuser_id' and 'group' variables upon
submission to 'users.php' script.This could allow a user to create
a specially crafted URL that would execute arbitrary code in a user's
browser within the trust relationship between the browser and
the server,leading to a loss of integrity
##################
versions
##################
class-1 Forum Software (v 0.23.2) vulnerable.
class-1 Forum Software (v 0.24.4) vulnerable.
it is posible that other versions are vulnerables too.
Clever Copy (http://clevercopy.bestdirectbuy.com/)
with forums module afected instaled.
Clever Copy 2.0
Clever Copy 2.0a
###################
Solution
###################
no solution at this time.
################
Timeline
################
discovered: 10-07-2005
vendor notify: 12-07-2005 (Webform)
vendor response:
2 vendor response:12-07-2005 (Clever Copy)
disclosure: 14-07-2005
##############################
proof of Cross site Scripting
##############################
http://[victim]/forum/users.php?mode=viewprofile&viewuser_id=89[XSS-code]
http://[victim]/forum/users.php?mode=viewgroup&group=Moderators[XSS-code]
#########################
posible SQL injections
#########################
http://www.class1web.co.uk/forum/viewattach.php?id=[SQL-Injection]
SQL Error
There was an error executing the query - SELECT * FROM attachments
WHERE attach_id='''
You have an error in your SQL syntax near ''''' at line 1
-------
http://[victim]/forum/users.php?mode=viewprofile&viewuser_id=[SQL-Injection]
There was an error executing the query - SELECT * FROM users
WHERE user_id='''
You have an error in your SQL syntax near ''''' at line 1
--------
http://[victim]/forum/viewforum.php?mode=view&id=[SQL-Injection]
There was an error executing the query - SELECT * FROM messages
WHERE id='''
You have an error in your SQL syntax near ''''' at line 1
---------
http://[victim]/forum/viewforum.php?forum=[SQL-Injection]
There was an error executing the query - SELECT * FROM group_permissions
WHERE forum_id=''' AND forum_hidden='1' AND group_name='Standard Users'
You have an error in your SQL syntax near '1' AND group_name='Standard Users'' at line 1
----------
#################### €nd ###########################
Thnx to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....