Multiple vulnerabilities have been discovered in 6kbbs, which can be exploited by malicious users to conduct script insertion and SQL injection attacks and by malicious people to conduct cross-site scripting and cross-site request forgery attacks.
1) Input passed via the "user[msn]", "user[email]", and "user[phone]" POST parameters to ajaxmember.php (when "action" is set to "modifyDetails") is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will execute in a user's browser session in context of an affected site.
2) Input passed via the "tids[]" POST parameter (when "postaction" POST parameter is set to e.g. "delPost") to ajaxadmin.php (when "action" is set to "dotopics") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation of this vulnerability requires "Super Moderator" privileges.
3) Input passed via the "msgids[]" POST parameter to ajaxmember.php (when "action" is set to "deleteMsgs") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
4) Input passed via the URL to e.g. index.php is not properly sanitised before being used in the "genUrl()" function (inc/fun.php) and being returned to the user in portal_header.php and header.php. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
5) The application allows users to perform certain actions via HTTP requests without performing proper validity checks to verify the requests. This can be exploited to e.g. modify PHP code of the application when a logged-in user visits a specially crafted web page.
The vulnerabilities are confirmed in version 8.0 build 20100901. Other versions may also be affected.
Vulnerable Products
Vulnerable Software: 6kbbs 8.x
Solution
Edit the source code to ensure that input is properly sanitised. Do not browse untrusted sites or follow untrusted links while being logged-in to the application.
