Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-import-export-lite domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the insert-headers-and-footers domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6121
Snitz Forums 2000 Multiple Vulnerabilities - exploit.company
header-logo
Suggest Exploit
vendor:
Snitz Forums 2000
by:
James Bercegay
7.5
CVSS
HIGH
Search XSS, Cookie Authentication Bypass, Password Reset
79, 79, 79
CWE
Product Name: Snitz Forums 2000
Affected Version From: <= 3.4.0.3
Affected Version To: <= 3.4.0.3
Patch Exists: YES
Related CWE: CAN-2003-0492 CAN-2003-0493 CAN-2003-0494
CPE: Snitz:Forums_2000
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: None
2003

Snitz Forums 2000 Multiple Vulnerabilities

Snitz search feature is vulnerable to XSS which can aide an attacker in stealing cookies, and thus compromising the account. In order to steal another users identity, all an attacker needs to know is thier encrypted password. This is not very hard to obtain using the XSS as described above, or other methods. Once an attacker has this info, all they have to do is login to thier normal account to get a valid session id, close the browser, replace thier username and encrypted pass with that of the victim, and return to the site where they will be recognized as the victim. This is the most serious of the vulns, as it requries no real effort and leaves the entire snitz forum open to attack. All an attacker has to do is request a forgotten password, save the password reset page offline,edit the member id to the desired member id, and submit the form. The members password will then be reset to that of the attackers choosing.

Mitigation:

Upgrade to version v3.4.04 or higher
Source

Exploit-DB raw data:

Snitz Forums 2000 Multiple Vulnerabilities

Vendor: Snitz Communications
Product: Snitz Forums 2000
Version: <= 3.4.0.3
Website: http://www.snitz.com

BID: 7922 7924 7925 
CVE: CAN-2003-0492 CAN-2003-0493 CAN-2003-0494 

Description:
Snitz Forums is a full-featured UBB-style ASP discussion board application. New features in version 3.3: Complete Topic/Post Moderation, Topic Archiving, Subscribe to Board / Category / Forum / Topic, Improved unsubscribe, Short(er) urls, Category and Forum ordering, and Improved Members-page. And like always, upgrading of the database is done for you by the setupscript 

Search XSS Vulnerability:
Snitz search feature is vulnerable to XSS which can aide an attacker in stealing cookies, and thus compromising the account, as described below 

search.asp?Search="><script>alert(document.cookie)</script> 

Cookie Authentication Bypass Vulnerability:
In order to steal another users identity, all an attacker needs to know is thier encrypted password. This is not very hard to obtain using the XSS as described above, or other methods. Once an attacker has this info, all they have to do is login to thier normal account to get a valid session id, close the browser, replace thier username and encrypted pass with that of the victim, and return to the site where they will be recognized as the victim. 

Password Reset Vulnerability:
This is the most serious of the vulns, as it requries no real effort and leaves the entire snitz forum open to attack. All an attacker has to do is request a forgotten password, save the password reset page offline,edit the member id to the desired member id, and submit the form. The members password will then be reset to that of the attackers choosing. 

Proof Of Concept:
Snitz Forums 2000 Proof Of Concept 

Solution:
Upgrade to version v3.4.04 or higher 

Credits:
James Bercegay of the GulfTech Security Research Team.

Navigation

Suggest Exploit

Services By CQR

cqrsecured