eNYe-Sec - www.enye-sec.org
-- About the program (by the author's page) --
NovaBoard is a free, feature rich community message board software written in
PHP & MySQL that allows you to set up your own forum within minutes.
With a smart modules feature and the ease of creating your own themes you can
style and manipulate your board to look and perform how you want.
NovaBoard makes running a message board a breeze!
>Author : ShaFuck31
>maiL : g0rk3m-31@hotmail.com
>Script Name : tinyBB v0.2 Message Board
>DownLoad Script : http://php.arsivimiz.com/indir.php?id=335
>Vuln. File : footers.php
__________________________
A R I A - S E C U R I T Y
_________________________
Message Board / Threaded Discussion Forum SQL INJECTION
Vendor: http://www.codewidgets.com
http://target.com/PATH/sign_in.aspx
Username: admin
eoCMS SQL injection vulnerability
1. General information
eoCMS is an open source code software which is used to develop Internet
forum (http://eocms.com/). On October 15, 2009, Bkis Security detected a
SQL injection vulnerability in some functions of eoCMS.
This is a critical vulnerability which allows hacker to access the data
in the database and execute unauthorized tasks. Bkis has informed the
software developer team, and they have patched the vulnerability in the
Description
-----------
PyForum is a 100% python-based message board system based in the excellent web2py framework.
We have discovered cross site scripting and cross site request forgery vulnerabilities in PyForum. The first allows arbitrary script to run when a post is viewed. The second allows attackers to submit forms (such as changing password) automatically without user's knowledge.
XSS vulnerability lies in the BBcode parsing in module ``models.parser``. The ``img`` and ``url`` tags do not sanitize inputs and hence are susceptible to script injection.
management systems - WebSiteAdmin, WSCreator (WS standing
for WebSite) is powerful application for handling multiple
websites. This is a commercial application.
Keep your family "Connected" with this content management
system (CMS) designed specifically with family's in mind.
Key features are: a message board, a photo gallery,
a blog-like "Family News" section, a calendar, an
address book and recipe sharing section.
Each family member has their own personal settings, like
the ability to change the website's theme.
Now with Portuguese, Czech, English, Estonian, German, and
//----- Application description
Started in 1998, Phorum was the original PHP and MySQL based Open Source
forum software. Phorum's developers pride themselves on creating message
board software that is designed to meet different needs of different web
sites while not sacrificing performance or features.
//----- Description of vulnerability
Simple Machines Forum — SMF in short — is a free, professional grade
software package that allows you to set up your own online community
within minutes.
Its powerful custom made template engine puts you in full control of
the lay-out of your message board and with our unique SSI - or Server
Side Includes - function you can let your forum and your website
interact with each other.
SMF is written in the popular language PHP and uses a MySQL database.
It is designed to provide you with all the features you need from a
bulletin board while having an absolute minimal impact on the
Description
-----------
pyForum is a 100% python-based message board system based in the excellent web2py framework.
We have discovered a backdoor in PyForum. Anyone could force a password reset on behalf of other users whose emails are known. More importantly, the software author, specifically, can obtain the new Administrator's password remotely.
The problem is in module ``forumhelper.py``. A new password is generated and saved in the database. Then a notification email which contains this new password in plaintext is sent to the user. There is no password reset confirmation code or similar verification action required. This causes a mild annoyance, or at most an account lockout.
Application : FubarForum
version : <= 1.6
Vendor : http://chaozz.nl/software/fubarforum/
Description :
FubarForum is a tiny flatfile (no MYSQL needed) messageboard / forum that is easy to install and use. It’s small (compressed around 60kb), but has all the features you might expect from a forum
--------------------------------------------------------------------------
Vulnerability:
~~~~~~~~~~~~~~
>
>
> Description
> -----------
>
> pyForum is a 100% python-based message board system based in the excellent web2py framework.
>
> We have discovered a backdoor in PyForum. Anyone could force a password reset on behalf of other users whose emails are known. More importantly, the software author, specifically, can obtain the new Administrator's password remotely.
>
> The problem is in module ``forumhelper.py``. A new password is generated and saved in the database. Then a notification email which contains this new password in plaintext is sent to the user. There is no password reset confirmation code or similar verification action required. This causes a mild annoyance, or at most an account lockout.
>
