[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] SonicBB version 1.0 XSS Attack Vulnerabilities
From: "SecurityResearch" <securityresearch () netvigilance ! com>
Date: 2007-05-14 12:32:27
Message-ID: 012FDE7DE21D97498794A72AEEF90D7F06A521 () beaverton ! portland ! local
[Download RAW message or body]
netVigilance Security Advisory #20
SonicBB version 1.0 XSS Attack Vulnerabilities
Description:
SonicBB is a user-friendly and fully customizable bulletin board package. SonicBB is \
compatible with any web server/operating system combo with PHP 4.x or higher \
installed.SonicBB is the ideal community software for all sites. This vulnerabilities \
can be exploited only when PHP magic_quotes_gpc = Off. External References:
Mitre CVE: CVE-2007-1903
NVD NIST: CVE-2007-1903
OSVDB: 34042
Summary:
SonicBB is a user-friendly and fully customizable bulletin board package. SonicBB is \
compatible with any web server/operating system combo with PHP 4.x or higher \
installed. SonicBB is the ideal community software for all sites. Security problem \
in the product allows attackers to commit XSS attacks. Advisory URL:
http://www.netvigilance.com/advisory0020
Release Date:
05/14/2007
Severity:
Risk: Medium
CVSS Metrics
Access Vector: Remote
Access Complexity: High
Authentication: Not-required
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: Partial
Impact Bias: Normal
CVSS Base Score: 5.6
Target Distribution on Internet: Low
Exploitability: Functional Exploit
Remediation Level: Workaround
Report Confidence: Confirmed
Vulnerability Impact: Attack
Host Impact: XSS Attack.
SecureScout Testcase ID:
TC 17944
Vulnerable Systems:
SonicBB version 1.0
Vulnerability Type:
XSS (Cross-Site Scripting) to force a web-site to display malicious contents to the \
target, by sending a specially crafted request to the web-site. The vulnerable \
web-site is not the target of attack but is used as a tool for the hacker in the \
attack of the victim. Vendor:
iScripts
Vendor Status:
Contact with the Vendor was established and draft of the security advisory was \
provided on 10 April 2007, the vendor promised to fix the issue but stopped \
responding to our emails on 10 April 2007. There is no official fix at the release \
of this Security Advisory Workaround:
Modify in the php.ini file following line: magic_quotes_gpc = Off.
Example:
REQUEST:
http://[TARGET]/[PRODUCT-DIRECTORY]/search.php?query=1&part=post`<> '' UNION SELECT \
`id`,'<script>alert(document.cookie)</script>',1,1,1,1,`username` FROM `users` WHERE \
id=1%23 REPLY:
Will execute <script>alert(document.cookie)</script>
Credits:
Jesper Jurcenoks
Co-founder netVigilance, Inc
www.netvigilance.c
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic