bmforumXSS.txt

2005-07-28T00:00:00
ID PACKETSTORM:38925
Type packetstorm
Reporter Lostmon
Modified 2005-07-28T00:00:00

Description

                                        
                                            `################################################  
Multiple Cross site scripting in BMForum   
vendor url:http://www.bmforum.com/  
Advisore:http://lostmon.blogspot.com/2005/07/  
multiple-cross-site-scripting-in.html  
Vendor notify:yes Exploit available:yes  
################################################  
  
  
BMForum contains a flaw that allows a remote cross site scripting  
attack.This flaw exists because the application does not validate  
multiple variables upon submission to multiple scripts.This could  
allow a user to create a specially crafted URL that would execute  
arbitrary code in a user's browser within the trust relationship  
between the browser and the server, leading to a loss of integrity.  
  
  
  
####################  
VERSIONS  
####################  
  
BMForum Datium! 3.0 RC4  
BMForum Datium! 3.0 RC3   
BMForum Datium! 3.0 RC2  
BMForum Datium! 3.0 RC1  
BMForum Plus! 3.0 RC4  
BMForum Plus! 3.0 RC3   
BMForum Plus! 3.0 RC2   
BMForum Plus! 3.0 RC1  
BMForum Plus!MX 3.0.0.5   
BMForum Plus! 2.6.1  
  
  
###################  
Solution:  
###################  
  
No solution at this time.  
  
###################  
Timeline:  
###################  
  
Discovered: 21-0-2005  
vendor notify:25-07-2005  
Disclosure:27-07-2005  
  
###################  
Proof of XSS  
####################  
  
####################  
topic.php  
####################  
  
http://[VICTIM]/bmb/topic.php?forumid=6&filename=38496&page=2[XSS-CODE]  
http://[VICTIM]/bmb/topic.php?forumid=6&filename=38496[XSS-CODE]&page=2  
http://[VICTIM]/topic.php?filename=1923[XSS-CODE]  
  
#################  
forums.php  
#################  
  
http://[VICTIM]/bmb/forums.php?forumid=6[XSS-CODE]  
http://[VICTIM]/bmb/forums.php?forumid=6&listby=posttime[XSS-CODE]&jinhua=&page=  
http://[VICTIM]/bmb/forums.php?forumid=6&listby=posttime&jinhua=[XSS-CODE]&page=  
http://[VICTIM]/bmb/forums.php?forumid=6&listby=posttime&jinhua=&page=[XSS-CODE]  
  
  
###################  
post.php  
###################  
  
http://[VICTIM]/post.php?forumid=2\[XSS-CODE]  
  
###################  
announcesys.php  
###################  
  
http://[VICTIM]/announcesys.php?forumid=0[XSS-CODE]  
  
#################  
Others  
#################  
  
http://[VICTIM]/datafile/regipbans.php //ips baned.  
http://[VICTIM]/bmb/datafile/sendmail.php // full path disclosure.  
http://[VICTIM]/post_global.php //full path disclosure  
http://[VICTIM]/bmb/datafile/bbslog2.txt   
http://[VICTIM]/bmb/bbslog.txt  
  
################### €nd ######################  
  
thnx to estrella to be my ligth.  
  
atentamente:  
Lostmon (lostmon@gmail.com)  
Web-Blog: http://lostmon.blogspot.com/  
--  
La curiosidad es lo que hace mover la mente....  
`