Main Menu

VIP Services

Critical Alerts

- 28 May 2008

Adobe Flash Player Unspecified Remote Code Execution Vulnerability

 

- 11 Mar 2008

Microsoft Excel Multiple Remote Code Execution Vulnerabilities

 

- 16 Jan 2008

Microsoft Excel File Handling Remote Arbitrary Code Execution Vulnerability

 

- 13 Dec 2007

JustSystems Ichitaro "JSGCI.DLL" Document Processing Remote Buffer Overflow Vulnerability

 

- 11 Dec 2007

Microsoft Internet Explorer Multiple Remote Memory Corruption Vulnerabilities

 

Advisories » Vikingboard Multiple Remote Cross-Site Scripting and Debug Information Disclosure Vulnerabilities

 

Release Date: 25/07/2007 Severity: Less Critical Less Critical
SecWatch Advisory: SWID1018567 Cause: Input validation error
Solution Status: Unpatched Impact: Disclosure of system information
Cross Site Scripting
Exploit Status: PoC Available Access Vector: From remote
 
Affected Software: Vikingboard 0.x
 
Original Advisory: http://lostmon.blogspot.com/2007/07/vikingboard-debug-information.html
http://lostmon.blogspot.com/2007/07/vikingboard-multiple-cross-site.ht..
CVE: CVE-2007-4088 CVE-2007-4089 CVE-2007-4090
Secunia: SA26196
Bugtraq ID: BID#25056

 

Description:

Multiple vulnerabilities in Vikingboard have been reported, which can be exploited by remote users to disclose system information and conduct cross-site scripting attacks.

1) User-supplied input passed via the URL is not properly sanitised in inc/lib/screen.php.  This can be exploited to execute arbitrary script code in the security context of an affected website, as a result the code will be able to access any of the target user's cookies, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Note: Successful exploitation requires that the target users web browser does not URL encode requests (such as Internet Explorer).

2) User-supplied input passed to multiple parameters in multiple scripts is not properly sanitised before being used.  This can be exploited to execute arbitrary script code in the security context of an affected website, as a result the code will be able to access any of the target user's cookies, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

3) The debug mode can be enabled by appending "&debug=1" to the end of a URL, which can b e exploited to potentially disclose certain system information.

 

Affected:

Vikingboard version 0.1.2.

 

Proof of Concept:

Cross-Site Scripting:
http://[target]/cp.php?mode=9&id=2[XSS]
http://[target]/cp.php?mode=7&f=1[XSS]
http://[target]/cp.php?mode=6"e=1[XSS]
http://[target]/cp.php?mode=12&act=[XSS]
http://[target]/user.php?u=2[XSS]
http://[target]/help.php?act=guidelines[XSS]

Information Disclosure:
http://[target]/forum.php?f=1&debug=1
http://[target]/cp.php?mode=10&debug=1
http://[target]/cp.php?&debug=1

 

Solution:

There was no vendor-supplied solution at the time of entry.

Edit source code manually to ensure user-supplied input is correctly sanitised.

Filter malicious characters and character sequences via a HTTP proxy or firewall with URL filtering capabilities.

 

Credits:

Lostmon

 

Free Vulnerability Notification Service

Receive free instant and customisable notifications of new vulnerabilities or exploits via e-mail, web or RSS feeds. Click here for more information.

 

Related Vulnerabilities and Exploits

20 Nov 06: Vikingboard Remote Cross-Site Scripting and Arbitrary File Inclus..