EV0084.txt

2006-03-06T00:00:00
ID PACKETSTORM:44361
Type packetstorm
Reporter Aliaksandr Hartsuyeu
Modified 2006-03-06T00:00:00

Description

                                        
                                            `New eVuln Advisory:  
Skate Board Multimple Vulnerabilities  
http://evuln.com/vulns/84/summary.html  
  
--------------------Summary----------------  
eVuln ID: EV0084  
CVE: CVE-2006-0809 CVE-2006-0810 CVE-2006-0811  
Software: Skate Board  
Sowtware's Web Site: http://bb.jiraiya.se/main.php?content=start  
Versions: 0.9  
Critical Level: Dangerous  
Type: Multiple Vulnerabilities  
Class: Remote  
Status: Unpatched. No reply from developer(s)  
Exploit: Available  
Solution: Not Available  
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)  
  
-----------------Description---------------  
1. SQL Injection.  
  
Vulnerable script: includes/root/sendpass.php  
  
Variable $_POST[usern] isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code.  
  
Condition: magic_quotes_gpc - off  
  
  
2. Authentication Bypass.  
  
Vulnerable scripts:  
includes/root/login.php  
includes/root/logged.php  
  
Variables $_POST[usern] $_POST[passwd] $_COOKIE[sf_cookie] are not properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code and make authorization bypass.  
  
Condition: magic_quotes_gpc - off  
  
  
3. PHP Code Injection.  
  
Administrator has an ability to edit values of variables in config.php This can be used to inject arbitrary PHP code.  
  
System access is possible.  
  
  
4. Multiple Cross-Site Scripting.  
  
Vulnerable script: includes/root/reguser.php  
  
All user-defined data from registration form isn't properly sanitized. This can be used to inject arbitrary html or script code.  
  
--------------Exploit----------------------  
Available at: http://evuln.com/vulns/84/exploit.html  
  
1. SQL Injection Example  
  
Url: http://[host]/index.php? act=lostpass  
Username: aaa' union select 1,2,3,4,5,6, 7,8,9,10,11, 12,13,14,15, 16,17,18,19, 20/*  
  
  
2. Authentication Bypass.  
  
a) From login form:  
username: [username]' and 1/*  
password: any  
  
b) Cookie value  
Cookie: sf_cookie=admin% 27+and+1%2F% 2A%3Basd  
  
  
3. PHP Code Injection Example.  
  
Min user chars is: 3; [code]  
  
  
4. Multiple Cross-Site Scripting.  
  
url: http://[host]/index.php? act=register  
username: [XSS]  
Full Name: [XSS]  
Location: [XSS]  
ICQ: [XSS]  
Yahoo: [XSS]  
  
  
--------------Solution---------------------  
No Patch available.  
  
--------------Credit-----------------------  
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)  
  
  
Regards,  
Aliaksandr Hartsuyeu  
http://evuln.com - Penetration Testing Services  
.  
  
`