[eVuln] FreeForum PHP Code Execution & Multiple XSS Vulnerabilities

---

• From: alex@xxxxxxxxx
• Date: 10 Mar 2006 13:42:59 -0000

---

New eVuln Advisory:
FreeForum PHP Code Execution & Multiple XSS Vulnerabilities
http://evuln.com/vulns/89/summary.html

--------------------Summary----------------
eVuln ID: EV0089
CVE: CVE-2006-0957 CVE-2006-0958
Vendor: ZoneO-Soft
Vendor's Web Site: http://soft.zoneo.net/
Software: FreeForum
Sowtware's Web Site: http://soft.zoneo.net/freeForum/
Versions: 1.2
Critical Level: Dangerous
Type: Multiple Vulnerabilities
Class: Remote
Status: Patched
PoC/Exploit: Available
Solution: Available
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)

-----------------Description---------------
1. PHP Code Execution Vulnerability.

Vulnerable Script: func.inc.php

Variables $_SERVER[HTTP_X_FORWARDED_FOR] $_SERVER[HTTP_CLIENT_IP] are not sanitized before being written into 'Data/flood.db.php' file. This can be used to inject arbitrary PHP code by posting HTTP query with fake X-Forwarded-For or Client-ip values.

System access is possible.


2. Multiple Cross-Site Scripting

Vulnerable Script: func.inc.php

Variables $name $subject are not properly sanitized. This can be used to post message with arbitrary HTML or JavaScript code.

--------------PoC/Exploit----------------------
Available at: http://evuln.com/vulns/89/exploit.html

--------------Solution---------------------
Vendor-provided solution is available now.
Install or Upgrade to version 1.2.1

http://soft.zoneo.net/freeForum/changes.php

--------------Credit-----------------------
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)


Regards,
Aliaksandr Hartsuyeu
http://evuln.com - Penetration Testing Services
..

---

• Prev by Date: [SECURITY] [DSA 992-1] New ffmpeg packages fix arbitrary code execution
• Next by Date: GnuPG does not detect injection of unsigned data
• Previous by thread: [SECURITY] [DSA 992-1] New ffmpeg packages fix arbitrary code execution
• Next by thread: GnuPG does not detect injection of unsigned data
• Index(es):
  • Date
  • Thread

---

Relevant Pages [Full-disclosure] [ MDVSA-2009:331 ] kdegraphics ... Multiple vulnerabilities has been found and corrected in kdegraphics: ... earlier allow remote attackers to cause a denial of service ... GPG public key of the Mandriva Security Team by executing: ... (Full-Disclosure) [ MDVSA-2009:331 ] kdegraphics ... Multiple vulnerabilities has been found and corrected in kdegraphics: ... earlier allow remote attackers to cause a denial of service ... GPG public key of the Mandriva Security Team by executing: ... (Bugtraq) AlstraSoft E-Friends 4.96 Multiple Remote Vulnerabilities ... AlstraSoft E-Friends 4.96 Multiple Remote Vulnerabilities ... SAMPLE CODE ... used in SQL queries and from the PHP's upload functions. ... (Bugtraq) SecurityFocus Microsoft Newsletter #306 ... Microsoft Office security, part two ... Microsoft Internet Explorer COM Object Instantiation Daxctle.OCX Heap Buffer Overflow vulnerability. ... Cybozu Garoon Multiple SQL Injection Vulnerabilities ... (Focus-Microsoft) [Full-disclosure] [ MDVSA-2009:183 ] apache-mod_security ... Multiple vulnerabilities has been found and corrected in mod_security: ... All packages are signed by Mandriva for security. ... GPG public key of the Mandriva Security Team by executing: ... (Full-Disclosure)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > bugtraq  > 2006-03