class-1 Forum Software Cross site scripting

Thursday, July 14, 2005
#########################################################
class-1 Forum Software Cross site scripting.
Original advisore:http://lostmon.blogspot.com/2005/07/
class-1-forum-software-cross-site.html
Vendor url:http://www.class1web.co.uk/download_forum.php
Vendor notify: yes exploit available: yes
OSVDB ID:17920,17921,17922,17923
Secunia: SA16078
BID: 14261
Securitytracker: 1014485 1014486
##########################################################


class-1 Forum Software is a PHP/MySQL driven web forum

class-1 Forum contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application
does not validate 'viewuser_id' and 'group' variables upon
submission to 'users.php' script.This could allow a user to create
a specially crafted URL that would execute arbitrary code in a user's
browser within the trust relationship between the browser and
the server,leading to a loss of integrity

##################
versions
##################

class-1 Forum Software (v 0.23.2) vulnerable.
class-1 Forum Software (v 0.24.4) vulnerable.

it is posible that other versions are vulnerables too.

Clever Copy (http://clevercopy.bestdirectbuy.com/)
with forums module afected instaled.

Clever Copy 2.0
Clever Copy 2.0a

###################
Solution
###################

no solution at this time.

################
Timeline
################

discovered: 10-07-2005
vendor notify: 12-07-2005 (Webform)
vendor response:
2 vendor response:12-07-2005 (Clever Copy)
disclosure: 14-07-2005


##############################
proof of Cross site Scripting
##############################

http://[victim]/forum/users.php?mode=viewprofile&viewuser_id=89[XSS-code]

http://[victim]/forum/users.php?mode=viewgroup&group=Moderators[XSS-code]


#########################
posible SQL injections
#########################

http://www.class1web.co.uk/forum/viewattach.php?id=[SQL-Injection]

SQL Error
There was an error executing the query - SELECT * FROM attachments
WHERE attach_id='''
You have an error in your SQL syntax near ''''' at line 1

-------

http://[victim]/forum/users.php?mode=viewprofile&viewuser_id=[SQL-Injection]

There was an error executing the query - SELECT * FROM users
WHERE user_id='''
You have an error in your SQL syntax near ''''' at line 1

--------

http://[victim]/forum/viewforum.php?mode=view&id=[SQL-Injection]

There was an error executing the query - SELECT * FROM messages
WHERE id='''
You have an error in your SQL syntax near ''''' at line 1

---------

http://[victim]/forum/viewforum.php?forum=[SQL-Injection]

There was an error executing the query - SELECT * FROM group_permissions
WHERE forum_id=''' AND forum_hidden='1' AND group_name='Standard Users'
You have an error in your SQL syntax near '1' AND group_name='Standard Users'' at line 1

----------
#################### €nd ###########################

Thnx to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...