Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:8120
HistoryMar 22, 2005 - 12:00 a.m.

-==CoolForum Path Disclosure & Possible SQL Injection==-

2005-03-2200:00:00
vulners.com
23
JSON

/*

[N]eo [S]ecurity [T]eam [NST]® - Advisory #11 - 20/03/05

Program: CoolForum
Homepage: http://coolforum.net/
Vulnerable Versions: CoolForum v.0.8.1 beta & Lowers
Risk: Low!!
Impact: Path Disclosure & Possible SQL Injection

-==CoolForum Path Disclosure & Possible SQL Injection==-

  • Description

CoolForum est un forum de discussion semi-professionnel
que vous pouvez tйlйcharger et installer sur votre site
web afin d'amйliorer les relations entre vos visiteurs et
pouvoir avoir un contact plus poussй avec eux.

  • Tested

CoolForum's & LocalHost
I've done minimal testing on this there could be more bugs.

  • Explotation

If you access directly to : http://host/forum/alert.php
likewise it'll happen the samething here http://host/forum/viewip.php
You will get an error like this one:

You have an error in your SQL syntax near ' topicid= WHERE
sessionID='1bbd8746b185f6d539461fc40141577a'' at line 1
UPDATE CF_session SET username='', userid=0, userstatus=1,
time=1111291757, typelieu='TOP', forumid=, topicid= WHERE
sessionID='1bbd8746b185f6d539461fc40141577a'

Warning: Cannot modify header information - headers already sent by
(output started at /home/coolcoyote/coolforum/forum/admin/functions.php:51)
in /home/coolcoyote/coolforum/forum/admin/functions.php on line 284

Warning: Cannot modify header information - headers already sent by
(output started at /home/coolcoyote/coolforum/forum/admin/functions.php:51)
in /home/coolcoyote/coolforum/forum/admin/functions.php on line 284

Solution

admin/functions.php: 42 - 55
-==code==-
function query($query)
{
global $NBRequest;

            $msql=mysql_query($query);
            if($msql)
                    $NBRequest++;
            else
            {
                    echo(mysql_error()."<br>");
                    echo($query."<p>");
            }
            return($msql);
    }

-==/code==-

admin/functions.php: 277 - 284

-==code==-
function sendcookie($name,$value,$expire)
{
global $_FORUMCFG;

    if($expire==-1)
            $expire=mktime(0,0,0,1,1,2010);
            
    if(empty($_FORUMCFG['cookiedomain']))

setcookie($name,$value,$expire,$_FORUMCFG['cookierep']);
else
setcookie($name,$value,$expire,$_FORUMCFG['cookierep'],".".$_FORUMCFG['cookiedomain']);
}
-==/code==-

[:: ============================================ ::]
Other Bug

http://host/forum/entete.php

Its making a call to an undefined function.

Fatal error: Call to undefined function: getuserid() in
/home/coolcoyote/coolforum/forum/entete.php on line 50

entete.php on line 50
-==code==-
$_USER = getuserid();
-==/code==-

[:: ============================================ ::]
Other Bug

http://host/forum/profile_accueil.php

Making a member function on a non-object

Fatal error: Call to a member function on a non-object in
/home/coolcoyote/coolforum/forum/profile_accueil.php on line 31

profile_accueil.php on line 31
-==code==-
$tpl->treenavs=$tpl->gettemplate("treenav","treeprofil");
-==/code==-

[:: ============================================ ::]
Other Bug

http://host/forum/profile_mdp.php

Calling an undefined function

Fatal error: Call to undefined function: getlangage() in
/home/coolcoyote/coolforum/forum/profile_mdp.php on line 30

profile_mdp.php on line 30
-==code==-
getlangage("profile_mdp");
-==/code==-

[:: ============================================ ::]
Other Bug

http://host/forum/profile_notify.php

Same as the one up there

Calling an undefined function

Fatal error: Call to undefined function: getlangage() in
/home/coolcoyote/coolforum/forum/profile_notify.php on line 33

profile_notify.php on line 33
-==code==-
getlangage("profile_notify");
-==/code==-

[:: ============================================ ::]
Other Bug

http://host/forum/profile_options.php

Same as the one up there

Calling an undefined function

Fatal error: Call to undefined function: getlangage() in
/home/coolcoyote/coolforum/forum/profile_options.php on line 30

profile_options.php on line 30
-==code==-
getlangage("profile_options");
-==/code==-

[:: ============================================ ::]
Other Bug

http://host/forum/profile_perso.php

Same as the one up there

Calling an undefined function

Fatal error: Call to undefined function: getlangage() in
/home/coolcoyote/coolforum/forum/profile_perso.php on line 30

profile_perso.php on line 30
-==code==-
getlangage("profile_perso");
-==/code==-

[:: ============================================ ::]
Other Bug

http://coolforum.net/forum/profile_pm.php

Same as the one up there

Calling an undefined function

Fatal error: Call to undefined function: getlangage() in
/home/coolcoyote/coolforum/forum/profile_pm.php on line 30

profile_pm.php on line 30
-==code==-
getlangage("profile_pm");
-==/code==-

[:: ============================================ ::]
Other Bug

http://host/forum/readannonce.php

OK this file has lots of bugs minors but you could improve them.

  1. There is no such file templates//tpl_error.html
  2. Implode functions has bad arguments
  3. There is no such file templates//tpl_baspage.htm

Warning: file(templates//tpl_error.html): failed to open stream: No such
file or directory in /home/coolcoyote/coolforum/forum/admin/functions.php
on line 157

Warning: implode(): Bad arguments. in
/home/coolcoyote/coolforum/forum/admin/functions.php on line 157

Warning: file(templates//tpl_baspage.html): failed to open stream: No such
file or directory in /home/coolcoyote/coolforum/forum/admin/functions.php
on line 157

Warning: implode(): Bad arguments. in
/home/coolcoyote/coolforum/forum/admin/functions.php on line 157

admin/functions.php: 150 - 160
-==code==-
function loadfile($file)
{
global $_SKIN,$_SERVER;

            if(ereg("admin/",$_SERVER['REQUEST_URI']))

$prefix="…/";
else $prefix="";

            $temp                   =

implode("",file($prefix."templates/".$SKIN['reptpl']."/tpl".$file.".html"));
$this->forme($temp);
$this->isloaded[$file] = true;
}
-==/code==-

[:: ============================================ ::]
Other Bug

You cannot access directly to this file:

http://host/forum/admin/functions.php

Fatal error: Class sqlconnect: Cannot inherit from undefined class my_sql
in /home/coolcoyote/coolforum/forum/admin/functions.php on line 34

admin/functions.php:34 - 40
-==code==-
class SQLConnect extends My_SQL
{
function SQLConnect()
{
@mysql_connect($this->host,$this->user,$this->pass) or
die("Impossible de se connecter а la base de donnйes");
@mysql_select_db("$this->bdd") or die("Impossible de se
connecter а la base de donnйes");
}
-==/code==-

  • References

http://neosecurityteam.net/Advisories/Advisory-11.txt

  • Credits

Discovered by HaCkZaTaN <[email protected]>

[N]eo [S]ecurity [T]eam [NST]® - http://neosecurityteam.net/

Got Questions? http://neosecurityteam.net/

Irc.InfoGroup.cl #neosecurityteam

  • Greets
       Paisterist
       T0wn3r
       LINUX
       Heap
       Nitrous
       CrashCool
       eL_mEsIaS
       Makoki
       KingMetal

       And my Colombian people

    @@@@&#39;&#39;&#39;@@@@&#39;@@@@@@@@@&#39;@@@@@@@@@@@
    &#39;@@@@@&#39;&#39;@@&#39;@@@&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;@@&#39;&#39;@@@&#39;&#39;@@
    &#39;@@&#39;@@@@@@&#39;&#39;@@@@@@@@@&#39;&#39;&#39;&#39;&#39;@@@
    &#39;@@&#39;&#39;&#39;@@@@&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;&#39;@@@&#39;&#39;&#39;&#39;@@@
    @@@@&#39;&#39;&#39;&#39;@@&#39;@@@@@@@@@@&#39;&#39;&#39;&#39;@@@@@

*/

JSON