by r0t,der4444,cembo,VietMafia

Tuesday, December 06, 2005

Magic Forum Personal SQL&XSS vuln.

Magic Forum Personal SQL&XSS vuln.

Vuln. dicovered by : r0t
Date: 6 dec. 2005
vendor:www.cfmagic.com/products/magicforumper.cfm
affected version:2.5 and prior

Product Description:

Magic Forum Personal is our full-featured, yet value priced, discussion forum application. Designed for a small to medium sized site, it has all of the features required for a discussion forum without out all of the fluff, not to mention high price, found in most forum apps. Primary forum features include: registration of members, use of moderators, optional approval of posts, moderators can approve, edit, delete any post, complete member profile area, members use post signatures, subscriptions to posts, PHTML (Pseudo HTML) based editor interface, full-featured search function, and much, much more. Also, a complete admin area with tons of options that allow you to tailor the app to your sites needs. Some of the options include: Use PHTML, Show Stats, Show Moderators, Track Views, Number of Topics/Replies Per Page, forum wide Date/Time Display, Allow Subscriptions, Allow Signatures, Use of Member Levels, Allow Save Login, Check Member Email and many, many more. We have a fully-functional online demo available and you can get more info at the Magic Forum Personal home page.


1. SQL inj vuln.
Magic Forum Personal contains a flaw that allows a remote sql injection attacks.Input passed to the "ForumID" "Thread" "ThreadID" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

examples:
/view_forum.cfm?ForumID=1[SQL]
/view_thread.cfm?ForumID=1[SQL]
/view_thread.cfm?ForumID=1&ThreadID=1&Thread=1[SQL]
/view_thread.cfm?ForumID=1&ThreadID=1[SQL]


2. XSS
Magic Forum Personal contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search parameters in "search_forums.cfm" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


Solution:
Edit the source code to ensure that input is properly sanitised.

0 Comments:

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew