freediscussionforums 1.0 – Multiple Vulnerabilities - 体验盒子

作者： Abysssec

日期： 2010-09-14

类别：

webapps

平台：

asp

来源：https://www.exploit-db.com/exploits/14999/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

'''

________ __ ____

|\/|/ __ \ /\| || |_ \

| \/ | || | /\ | || | |_) |

| |\/| | || |/ /\ \| || |_ <

| || | |__| / ____ \ |__| | |_) |

|_||_|\____/_/\_\____/|____/

http://www.exploit-db.com/moaub-14-freediscussionforums-multiple-remote-vulnerabilities/

'''

Abysssec Inc Public Advisory

Title:FreeDiscussionForums Multiple Remote Vulnerabilities

Affected Version :Free Discussion Forum 1.0

Discovery:www.abysssec.com

Vendor :http://www.freediscussionforums.net

Download Links :http://sourceforge.net/projects/discusionforum/

Admin Login:http://Example.com/adminlogin.aspx

Description :

===========================================================================================

This version of FreeDiscussionForums have Multiple Valnerabilities :

1- Access to Admin's Section

2- Persistent XSS

Access to Admin's Section:

===========================================================================================

With this path you can easily access to Admin's section:

http://Example.com/ManageSubject.aspx

Valnerable Code :

DLL :App_Web_wngcbiby.dll

Class :Class adminlogin

protected void Button1_Click(object sender, EventArgs e)

{

...

if ((this.txtUserName.Text.Trim() == str) && (this.txtPassword.Text.Trim() == str2))

{

this.Session["User"] = "admin";

base.Response.Redirect("ManageSubject.aspx");

}

Persistent XSS:

===========================================================================================

in this application also there is a Persistent XSS exist in title field.

Valnerable Code :

DLL :App_Web_wngcbiby.dll

Class :Class AddPost

protected void Page_Load(object sender, EventArgs e)

{

if (base.Request.QueryString["forumId"] != null)

{

this.forumId = Convert.ToInt32(base.Request.QueryString["forumId"]);

}

if (base.Request.QueryString["title"] != null)

{

this.title = Common.ReplaceString(base.Request.QueryString["title"].ToString().Trim());

}

...

}

===========================================================================================