EV0089.txt

2006-03-11T00:00:00
ID PACKETSTORM:44571
Type packetstorm
Reporter Aliaksandr Hartsuyeu
Modified 2006-03-11T00:00:00

Description

                                        
                                            `New eVuln Advisory:  
FreeForum PHP Code Execution & Multiple XSS Vulnerabilities  
http://evuln.com/vulns/89/summary.html  
  
--------------------Summary----------------  
eVuln ID: EV0089  
CVE: CVE-2006-0957 CVE-2006-0958  
Vendor: ZoneO-Soft  
Vendor's Web Site: http://soft.zoneo.net/  
Software: FreeForum  
Sowtware's Web Site: http://soft.zoneo.net/freeForum/  
Versions: 1.2  
Critical Level: Dangerous  
Type: Multiple Vulnerabilities  
Class: Remote  
Status: Patched  
PoC/Exploit: Available  
Solution: Available  
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)  
  
-----------------Description---------------  
1. PHP Code Execution Vulnerability.  
  
Vulnerable Script: func.inc.php  
  
Variables $_SERVER[HTTP_X_FORWARDED_FOR] $_SERVER[HTTP_CLIENT_IP] are not sanitized before being written into 'Data/flood.db.php' file. This can be used to inject arbitrary PHP code by posting HTTP query with fake X-Forwarded-For or Client-ip values.  
  
System access is possible.  
  
  
2. Multiple Cross-Site Scripting  
  
Vulnerable Script: func.inc.php  
  
Variables $name $subject are not properly sanitized. This can be used to post message with arbitrary HTML or JavaScript code.  
  
--------------PoC/Exploit----------------------  
Available at: http://evuln.com/vulns/89/exploit.html  
  
PerlBlog Multiple Vulnerabilities  
  
  
PoC/Exploit  
  
1. PHP Code Execution Example.  
HTTP Query:  
POST /freeforum/index.php HTTP/1.0  
Host: [host]  
X-Forwarded-For: anyIP<? [code] ?>  
Content-Length: 91  
name=qqq&email=qqq@qqq.com&subject=qqq&text=qqq&mode=postanswer&thread=1&cat=1&submit=Add  
  
2. Cross-Site Scripting Example.  
URL: http://[host]/freeforum/index.php  
Your name: [XSS]  
Subject: [XSS]  
  
--------------Solution---------------------  
Vendor-provided solution is available now.  
Install or Upgrade to version 1.2.1  
  
http://soft.zoneo.net/freeForum/changes.php  
  
--------------Credit-----------------------  
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)  
  
  
Regards,  
Aliaksandr Hartsuyeu  
http://evuln.com - Penetration Testing Services  
.  
`