KaiBB Cross-Site Scripting and SQL Injection Vulnerabilities
Description
Secunia Research has discovered multiple vulnerabilities in KaiBB, which can be exploited by malicious users to conduct SQL injection attacks and by malicious people to conduct cross-site scripting attacks.
1) Input passed via the "Referer" HTTP header to index.php and acp/index.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Successful exploitation of this vulnerability requires that the victim uses a browser that does not URL-encode the request (e.g. Internet Explorer 6).
2) Input passed via the "checkbox" POST parameter to index.php (when "s" is set to "viewtopic" and "delete_posts" and "confirmed" are set) is not properly sanitised in core/topic.php before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation of this vulnerability requires a moderator account.
3) Input passed via the "checkbox" POST parameter to index.php (when "s" is set to "mail") is not properly sanitised in core/mail.php before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation of vulnerabilities #2 and #3 requires that "magic_quotes_gpc" is disabled.
4) Input passed via the "attachment" parameter when uploading a file through a webform is not properly sanitised in inc/function.php before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation of this vulnerability requires permissions to upload files.
The vulnerabilities are confirmed in version 2.0.1. Other versions may also be affected.
Vulnerable Products
Vulnerable Software: KaiBB 2.x
Solution
Edit the source code to ensure that input is properly sanitised.
