MOAUB #14 - FreeDiscussionForums v1.0 Multiple Remote Vulnerabilities

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MOAUB #14 - FreeDiscussionForums v1.0 Multiple Remote Vulnerabilities
# Published : 2010-09-14
# Author : Abysssec
# Previous Title : E-Xoopport - Samsara <= v3.1 (Sections Module) Remote Blind SQL Injection Exploit
# Next Title : Joomla JGen Component (com_jgen) SQL-i Vulnerability

'''
  __  __  ____         _    _ ____  
 |  /  |/ __    /  | |  | |  _  
 |   / | |  | | /   | |  | | |_) |
 | |/| | |  | |/ / | |  | |  _ < 
 | |  | | |__| / ____  |__| | |_) |
 |_|  |_|____/_/    _____/|____/ 

http://www.exploit-db.com/moaub-14-freediscussionforums-multiple-remote-vulnerabilities/

'''


Abysssec Inc Public Advisory
 
 
  Title            :  FreeDiscussionForums Multiple Remote Vulnerabilities
  Affected Version :  Free Discussion Forum 1.0
  Discovery        :  www.abysssec.com
  Vendor	   :  http://www.freediscussionforums.net

  Download Links   :  http://sourceforge.net/projects/discusionforum/
  Admin Login      :  http://Example.com/adminlogin.aspx
 
Description :
===========================================================================================      
  This version of FreeDiscussionForums have Multiple Valnerabilities : 
        1- Access to Admin's Section
        2- Persistent XSS 


Access to Admin's Section:
===========================================================================================     
  With this path you can easily access to Admin's section:

        http://Example.com/ManageSubject.aspx  

  Valnerable Code :
      DLL   :  App_Web_wngcbiby.dll
      Class :  Class adminlogin
   
            protected void Button1_Click(object sender, EventArgs e)
	     {
               ...
               if ((this.txtUserName.Text.Trim() == str) && (this.txtPassword.Text.Trim() == str2))
                {
                  this.Session["User"] = "admin";
                  base.Response.Redirect("ManageSubject.aspx");
                }
	      }   



Persistent XSS:
=========================================================================================== 
 in this application also there is a Persistent XSS exist in title field.

   Valnerable Code :
      DLL   :  App_Web_wngcbiby.dll
      Class :  Class AddPost

             protected void Page_Load(object sender, EventArgs e)
	     {
		if (base.Request.QueryString["forumId"] != null)
		{
		    this.forumId = Convert.ToInt32(base.Request.QueryString["forumId"]);
		}
		if (base.Request.QueryString["title"] != null)
		{
		    this.title = Common.ReplaceString(base.Request.QueryString["title"].ToString().Trim());
		 }
		...
	     }  


===========================================================================================