[UNIX] APBoard Vulnerability Allows Posting to Protected Forums and Hijacking of Forum Passwords

From: support@securiteam.com
Date: 11/14/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 14 Nov 2002 17:56:00 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -

  APBoard Vulnerability Allows Posting to Protected Forums and Hijacking of
Forum Passwords
------------------------------------------------------------------------

SUMMARY

Normal users can submit threads to password protected forums and possibly
hijack the forum-password with some referer logging script.

DETAILS

Vulnerable systems:
 * APBoard version 2.02
 * APBoard version 2.03

Exploit:
1) Register an account on vulnerability board.

2) Go to any forum and click on "Neues Thema".

3) Open source code of this site and scroll down to the following lines:

<---code--->
<INPUT TYPE="hidden" NAME="sess_id" VALUE="">
<INPUT TYPE="hidden" NAME="postit" VALUE="TRUE">
<INPUT TYPE="hidden" NAME="insertinto" VALUE="1">
<INPUT TYPE="hidden" NAME="BoardID" VALUE="1">
<INPUT CLASS="button" TYPE="submit" NAME="new_topic" VALUE="Thema posten">
<INPUT CLASS="button" TYPE="submit" NAME="preview_topic" VALUE="Vorschau">
<---code--->

4) Edit the "insertinto" value of the forum where you want to submit the
new thread. e.g.: <INPUT TYPE="hidden" NAME="insertinto" VALUE="12">

5) Save the file locally.

6) Open file and write your text, then click "Thema posten" and the new
thread will be posted to the protected forum.

Another Bug in this Board is that if a user logs into a protected forum
the forum-password will be shown on the title-bar in plaintext e.g.:
http://www.your-domain.com/apboard/thread.php3?id=999&passwort=1&thepasswordhere

You could create a referer-logging script and link this in the posted
thread of the protected forum. If any user clicks on the link the
plaintext password would therefore be saved in the logs of the attacker.

ADDITIONAL INFORMATION

The information has been provided by <mailto:proxy@es-crew.de> ProXy.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.