Security Advisory SA42204 - 6kbbs Multiple Vulnerabilities

Secunia

Blog

Secunia Advisory SA42204

6kbbs Multiple Vulnerabilities

Secunia Advisory

SA42204

Release Date

2010-11-15

Last Update

2011-10-11

Popularity

1,557 view

Comments

0 comments

Criticality level

Moderately critical

Impact

Cross Site Scripting
Manipulation of data

Where

From remote

Authentication level

This information is available to Secunia VIM customers

Report reliability

This information is available to Secunia VIM customers

Solution Status

Unpatched

Systems affected

This information is available to Secunia VIM customers

Approve distribution

This information is available to Secunia VIM customers

Remediation status

Secunia VIM

Software:

6kbbs 8.x

Secunia CVSS Score

This information is available to Secunia VIM Customers

CVE Reference(s)

CVE-2010-4811 CVSS score available to Secunia VIM customers
CVE-2010-4812 CVSS score available to Secunia VIM customers

Description

Multiple vulnerabilities have been discovered in 6kbbs, which can be exploited by malicious users to conduct script insertion and SQL injection attacks and by malicious people to conduct cross-site scripting and cross-site request forgery attacks.

1) Input passed via the "user[msn]", "user[email]", and "user[phone]" POST parameters to ajaxmember.php (when "action" is set to "modifyDetails") is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will execute in a user's browser session in context of an affected site.

2) Input passed via the "tids[]" POST parameter (when "postaction" POST parameter is set to e.g. "delPost") to ajaxadmin.php (when "action" is set to "dotopics") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of this vulnerability requires "Super Moderator" privileges.

3) Input passed via the "msgids[]" POST parameter to ajaxmember.php (when "action" is set to "deleteMsgs") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

4) Input passed via the URL to e.g. index.php is not properly sanitised before being used in the "genUrl()" function (inc/fun.php) and being returned to the user in portal_header.php and header.php. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

5) The application allows users to perform certain actions via HTTP requests without performing proper validity checks to verify the requests. This can be exploited to e.g. modify PHP code of the application when a logged-in user visits a specially crafted web page.

The vulnerabilities are confirmed in version 8.0 build 20100901. Other versions may also be affected.

Solution
Edit the source code to ensure that input is properly sanitised. Do not browse untrusted sites or follow untrusted links while being logged-in to the application.

Provided and/or discovered by
1 - 3) k4shifz, Wolves Security Team
4, 5) insight-labs

Changelog
Further details available to Secunia VIM customers

Original Advisory
Wolves Security Team:
http://bbs.wolvez.org/viewtopic.php?id=180

insight-labs:
http://insight-labs.org/report/6kbbs-report.pdf

Deep Links
Links available to Secunia VIM customers

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: 6kbbs Multiple Vulnerabilities

No posts yet

Secunia Advisory SA42204

6kbbs Multiple Vulnerabilities

Do you have additional information related to this advisory?

You must be logged in to post a comment.

Secunia Customer Login

Not a customer already?