Secunia

Some vulnerabilities have been reported in OpenBB, allowing malicious people to conduct Cross Site Scripting, SQL injection and script insertion attacks.

1) Input passed to certain parameters in various scripts isn't properly verified before it is returned to the user. This can be exploited to execute arbitrary HTML or script code in a user's browser session in context of an affected site by tricking the user into visiting a malicious website or follow a specially crafted link.

Examples:
/member.php?action=login&redirect=[malicious_code]
/myhome.php?action=newmsg&to=blah[malicious_code]
/post.php?action=mail&TID=1[malicious_code]
/index.php?redirect=[malicious_code]

2) Input passed to certain parameters in various scripts isn't properly verified before it is used in an SQL query. This can be exploited by malicious people to manipulate SQL queries by injecting arbitrary SQL code.

Examples:
/post.php?FID=[SQL]
/board.php?FID=1[SQL]
/member.php?action=list&page=1&sortorder=[SQL]
/member.php?action=list&page=1&sortorder=username&perpage=[SQL]
/member.php?action=passwdsend&resetid=blah&id=2[SQL]
/search.php?&sortby=dateline&sort=DESC&q=open&forums%5B[SQL]%5D
/post.php?action=edit&page=1&PID=1[SQL]
/post.php?action=post&FID=1[SQL]

3) Multiple administrative, moderator, and user functions are accessible through GET requests. This can be exploited by including links to "images", which refer to certain functions. When the page including the image is read, the functions are executed with the priviliges of the current OpenBB user. The only restriction is that the image URL must end with a valid image extension.

4) It is possible to read private messages of other users by specifying a valid message id using the "myhome.php" script.

5) Uploaded avatars are not properly verified, allowing users to upload arbitrary files. This can be exploited to execute arbitrary HTML or script code in a user's browser session.

The vulnerabilities have been reported in version 1.0.6 and prior.

Solution
Edit the source code to ensure that input is properly sanitised.
Further details available in Customer Area

Provided and/or discovered by
1-3) JeiAr of the GulfTech Security Research Team
4,5) Manuel Lopez

Changelog
Further details available in Customer Area

Original Advisory
http://www.gulftech.org/04242004.php

Deep Links
Links available in Customer Area