*6kbbs v8.0 XSS (Cross-site Scripting) Security Vulnerabilities*


Exploit Title: 6kbbs XSS (Cross-site Scripting) Security Vulnerabilities
Vendor: 6kbbs
Product: 6kbbs
Vulnerable Versions: v7.1   v8.0
Tested Version: v7.1   v8.0
Advisory Publication: April 02, 2015
Latest Update: April 02, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Writer and Reporter: Wang Jing [CCRG, Nanyang Technological University
(NTU), Singapore]







*Suggestion Details:*


*(1) Vendor & Product Description:*


*Vendor:*
6kbbs



*Product & Vulnerable Versions:*
6kbbs
v7.1
v8.0



*Vendor URL & download:*
6kbbs can be obtained from here,
http://www.6kbbs.com/download.html
http://code.google.com/p/6kbbs/downloads/list



*Product Introduction Overview:*
"6kbbs V8.0 is a PHP + MySQL built using high-performance forum, has the
code simple, easy to use, powerful, fast and so on. It is an excellent
community forum program. The program is simple but not simple; fast, small;
Interface generous and good scalability; functional and practical pursuing
superior performance, good interface, the user's preferred utility
functions."

"1, using XHTML + CSS architecture, so that the structure of the page,
saving transmission static page code, but also easy to modify the
interface, more in line with WEB standards; 2, the Forum adopted Cookies,
Session, Application and other technical data cache on the forum, reducing
access to the database to improve the performance of the Forum. Can carry
more users simultaneously access; 3, the data points table function, reduce
the burden on the amount of data when accessing the database; 4, support
for multi-skin style switching function; 5, the use of RSS technology to
support subscriptions forum posts, recent posts, user's posts; 6, the
display frame mode + tablet mode, the user can choose according to their
own preferences to; 7. forum page optimization keyword search, so the forum
more easily indexed by search engines; 8, extension, for our friends to
provide a forum for a broad expansion of space services; 9, webmasters can
add different top and bottom of the ad, depending on the layout; 10, post
using HTML + UBB way the two editors, mutual conversion, compatible with
each other; ..."




*(2) Vulnerability Details:*
6kbbs web application has a security bug problem. It can be exploited by
XSS attacks. This may allow a remote attacker to create a specially crafted
request that would execute arbitrary script code in a user's browser
session within the trust relationship between their browser and the server.

Several 6kbbs products 0-day vulnerabilities have been found by some other
bug hunter researchers before. 6kbbs has patched some of them. The
milw00rm.com is archive of exploits, videos, papers and vulnerabilities. It
has published suggestions, advisories, solutions details related to 6kbbs
vulnerabilities.


*(2.1)* The first code programming flaw occurs atoccurs at "/userlist.php?"
page with "&orderby" parameter.





*References:*
http://www.tetraph.com/security/xss-vulnerability/6kbbs-v8-0-xss-cross-site-scripting-security-vulnerabilities/
http://securityrelated.blogspot.sg/2015/04/6kbbs-v80-xss-cross-site-scripting.html?view=sidebar
http://www.inzeed.com/kaleidoscope/computer-web-security/6kbbs-v8-0-xss-cross-site-scripting-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/6kbbs-v8-0-xss-cross-site-scripting-security-vulnerabilities/
https://hackertopic.wordpress.com/2015/04/02/6kbbs-v8-0-xss-cross-site-scripting-security-vulnerabilities/
http://marc.info/?a=139222176300014&r=1&w=4
http://packetstormsecurity.com/files/authors/11717
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01759.html
http://milw00rm.com/exploits/6673




--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing