Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
htbridgeHigh-Tech BridgeHTB23248
HistoryJan 14, 2015 - 12:00 a.m.

Multiple Vulnerabilities in my little forum

2015-01-1400:00:00
High-Tech Bridge
www.htbridge.com
21

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.016 Low

EPSS

Percentile

85.7%

JSON

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in my little forum, which can be exploited to perform SQL Injection and Cross-Site Scripting (XSS) attacks. The SQL injection vulnerabilities have medium risk assigned as they can be exploited under administrator account or via XSRF vector.

  1. SQL Injection in my little forum: CVE-2015-1434

1.1 Input passed via the “edit_category” HTTP GET parameter to “/index.php” script is not properly sanitised before being used in SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Simple PoC code below will create a file in web root with phpinfo() function (if MySQL has enough privileges, and current web user can write into the directory):

http://[host]/index.php?mode=admin&edit_category=’ UNION SELECT 1,2,3,‘<? phpinfo() ?>’ INTO OUTFILE ‘/var/www/file.php’ –

1.2 Input passed via the “letter” HTTP GET parameter to “/index.php” script is not properly sanitised before being used in SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Simple PoC code below will create a file in web root with phpinfo() function (if MySQL has enough privileges, and current web user can write into the directory):

http://[host]/index.php?mode=admin&action=user&letter=’ UNION SELECT ‘<? phpcode() ?>’ INTO OUTFILE ‘/var/www/file.php’ –

Both vulnerabilities require administrative privileges, however can be also exploited via XSRF vector to which the application is also vulnerable.

  1. Cross-Site Scripting (XSS) in my little forum: CVE-2015-1435

2.1 Input passed via the “back” GET parameter to “/index.php” is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

PoC below uses JS “alert()” function to display a pop-up with “ImmuniWeb”:

http://[host]/index.php?delete_posting=1&mode=posting&back=%22%3E%3Cscript%3 Ealert%28/ImmuniWeb/%29;%3C/script%3E

CPENameOperatorVersion
my little forumle2.3.3

Related

packetstorm 1
securityvulns 2
zdt 1
prion 2
cvelist 2
cve 2
packetstorm
packetstorm
My Little Forum 2.3.3 Cross Site Scripting / SQL Injection
2015-02-11 00:00:00
securityvulns
securityvulns
Multiple Vulnerabilities in my little forum
2015-02-22 00:00:00
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2015-02-23 00:00:00
zdt
zdt
My Little Forum 2.3.3 Cross Site Scripting / SQL Injection Vulnerabilities
2015-02-11 00:00:00
prion
prion
Sql injection
2015-02-16 15:59:00
Cross site scripting
2015-02-16 15:59:00
cvelist
cvelist
CVE-2015-1435
2015-02-16 15:00:00
CVE-2015-1434
2015-02-16 15:00:00
cve
cve
CVE-2015-1435
2015-02-16 15:59:00
CVE-2015-1434
2015-02-16 15:59:00

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.016 Low

EPSS

Percentile

85.7%

JSON
Related for HTB23248
packetstorm1securityvulns2zdt1prion2cvelist2cve2