DCForumLite DCBoard.CGI Multiple Input Validation Vulnerabilities

Bugtraq ID:	17697
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Apr 25 2006 12:00AM
Updated:	Apr 26 2006 08:36PM
Credit:	Breeeeh is credited with the discovery of these vulnerabilities.
Vulnerable:	DC Scripts DCForum 3.0
Not Vulnerable:

DCForumLite DCBoard.CGI Multiple Input Validation Vulnerabilities

DCForumLite is prone to multiple input-validation vulnerabilities. The issues include cross-site scripting and SQL-injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.

A successful exploit of these vulnerabilities could allow an attacker to compromise the application, access or modify data, steal cookie-based authentication credentials, or even exploit vulnerabilities in the underlying database implementation. Other attacks are also possible.

DCForumLite DCBoard.CGI Multiple Input Validation Vulnerabilities



These issues can be exploited through a web client.

Example URIs have been provided:

• /data/vulnerabilities/exploits/dcforumlite-3.0-sql-xss.txt

DCForumLite DCBoard.CGI Multiple Input Validation Vulnerabilities

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected]

DCForumLite DCBoard.CGI Multiple Input Validation Vulnerabilities

References:

• DCScripts DCForum Homepage (DCScripts)
  
• DCForumLite V 3.0<--XSS/SQL Injection ([email protected])