Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

6kbbs 8.0 Cross Site Scripting

🗓️ 05 Apr 2015 00:00:00Reported by Wang JingType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 38 Views

6kbbs v8.0 XSS (Cross-site Scripting) Security Vulnerabilities. 6kbbs v8.0 is a PHP + MySQL built using high-performance forum, has the code simple, easy to use, powerful, fast and so on. It is an excellent community forum program. The program is simple but not simple; fast, small; Interface generous and good scalability; functional and practical pursuing superior performance, good interface, the user's preferred utility functions

Code
`*6kbbs v8.0 XSS (Cross-site Scripting) Security Vulnerabilities*  
  
  
Exploit Title: 6kbbs XSS (Cross-site Scripting) Security Vulnerabilities  
Vendor: 6kbbs  
Product: 6kbbs  
Vulnerable Versions: v7.1 v8.0  
Tested Version: v7.1 v8.0  
Advisory Publication: April 02, 2015  
Latest Update: April 02, 2015  
Vulnerability Type: Cross-Site Scripting [CWE-79]  
CVE Reference: *  
Impact CVSS Severity (version 2.0):  
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)  
Impact Subscore: 2.9  
Exploitability Subscore: 8.6  
Writer and Reporter: Wang Jing [CCRG, Nanyang Technological University  
(NTU), Singapore]  
  
  
  
  
  
  
  
*Suggestion Details:*  
  
  
*(1) Vendor & Product Description:*  
  
  
*Vendor:*  
6kbbs  
  
  
  
*Product & Vulnerable Versions:*  
6kbbs  
v7.1  
v8.0  
  
  
  
*Vendor URL & download:*  
6kbbs can be obtained from here,  
http://www.6kbbs.com/download.html  
http://code.google.com/p/6kbbs/downloads/list  
  
  
  
*Product Introduction Overview:*  
"6kbbs V8.0 is a PHP + MySQL built using high-performance forum, has the  
code simple, easy to use, powerful, fast and so on. It is an excellent  
community forum program. The program is simple but not simple; fast, small;  
Interface generous and good scalability; functional and practical pursuing  
superior performance, good interface, the user's preferred utility  
functions."  
  
"1, using XHTML + CSS architecture, so that the structure of the page,  
saving transmission static page code, but also easy to modify the  
interface, more in line with WEB standards; 2, the Forum adopted Cookies,  
Session, Application and other technical data cache on the forum, reducing  
access to the database to improve the performance of the Forum. Can carry  
more users simultaneously access; 3, the data points table function, reduce  
the burden on the amount of data when accessing the database; 4, support  
for multi-skin style switching function; 5, the use of RSS technology to  
support subscriptions forum posts, recent posts, user's posts; 6, the  
display frame mode + tablet mode, the user can choose according to their  
own preferences to; 7. forum page optimization keyword search, so the forum  
more easily indexed by search engines; 8, extension, for our friends to  
provide a forum for a broad expansion of space services; 9, webmasters can  
add different top and bottom of the ad, depending on the layout; 10, post  
using HTML + UBB way the two editors, mutual conversion, compatible with  
each other; ..."  
  
  
  
  
*(2) Vulnerability Details:*  
6kbbs web application has a security bug problem. It can be exploited by  
XSS attacks. This may allow a remote attacker to create a specially crafted  
request that would execute arbitrary script code in a user's browser  
session within the trust relationship between their browser and the server.  
  
Several 6kbbs products 0-day vulnerabilities have been found by some other  
bug hunter researchers before. 6kbbs has patched some of them. The  
milw00rm.com is archive of exploits, videos, papers and vulnerabilities. It  
has published suggestions, advisories, solutions details related to 6kbbs  
vulnerabilities.  
  
  
*(2.1)* The first code programming flaw occurs atoccurs at "/userlist.php?"  
page with "&orderby" parameter.  
  
  
  
  
  
*References:*  
http://www.tetraph.com/security/xss-vulnerability/6kbbs-v8-0-xss-cross-site-scripting-security-vulnerabilities/  
http://securityrelated.blogspot.sg/2015/04/6kbbs-v80-xss-cross-site-scripting.html?view=sidebar  
http://www.inzeed.com/kaleidoscope/computer-web-security/6kbbs-v8-0-xss-cross-site-scripting-security-vulnerabilities/  
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/6kbbs-v8-0-xss-cross-site-scripting-security-vulnerabilities/  
https://hackertopic.wordpress.com/2015/04/02/6kbbs-v8-0-xss-cross-site-scripting-security-vulnerabilities/  
http://marc.info/?a=139222176300014&r=1&w=4  
http://packetstormsecurity.com/files/authors/11717  
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01759.html  
http://milw00rm.com/exploits/6673  
  
  
  
  
--  
Wang Jing,  
Division of Mathematical Sciences (MAS),  
School of Physical and Mathematical Sciences (SPMS),  
Nanyang Technological University (NTU),  
Singapore.  
http://www.tetraph.com/wangjing/  
https://twitter.com/justqdjing  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
05 Apr 2015 00:00Current
7.4High risk
Vulners AI Score7.4
6kbbscross-site scriptingsecurity vulnerabilitiesphpmysqlxssremote attackercve referencevulnerability
38