[UNIX] OpenBB Multiple Vulnerabilities (board.php, search.php, member.php, post.php, myhome.php, index.php)

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 2 May 2004 11:24:12 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  OpenBB Multiple Vulnerabilities (board.php, search.php, member.php,
post.php, myhome.php, index.php)
------------------------------------------------------------------------

SUMMARY

" <http://www.openbb.com> OpenBB is a fast, lightweight, powerful bulletin
board written in PHP/MySQL. Main features include: full customization via
styles templates, instant messaging, private messaging, categories, member
ranks, poll based threads, moderation, BB codes, thread notifications,
avatars, member lists, private forums and more."

Several types of attacks are possible against OpenBB. The system contains
bugs that can lead from simple cross-site scripting, SQL injections to
arbitrary command execution.

DETAILS

Vulnerable Systems:
 * OpenBB version 1.0.6

Cross-site Scripting
OpenBB is prone to cross-site scripting vulnerabilities in multiple files.
Code be injected and executed in the context of the user's browsers or
used to harvest sensitive user information such as that which is stored
inside cookies (a prime example is login credentials).

Some vulnerable scripts are listed below:
/member.php?action=login&redirect=[XSS]
/myhome.php?action=newmsg&to=blah[XSS]
/post.php?action=mail&TID=1[XSS]
/index.php?redirect=[XSS]

SQL Injection
Some fields supplied by users are not properly sanitized, allowing an
attacker to pass additional SQL commands to the backend database. A
snippet of code from one of the vulnerable scripts (post.php) is presented
below:
// Check to make sure they are not posting to a category
$query_type = new query($SQL, "SELECT type FROM ".$prefix."forum_display
WHERE forumid = $FID");
$query_type->getrow();
$ftype = $query_type->field('type');

The $FID parameter is passed directly to the SQL query without being
sanitized or filtered at all. Such an issue is present in more than one
file and is not limited to only the 'post.php' file.

Other vulnerable scripts are listed below (and their vulnerable
parameter):
/board.php?FID=1[SQL]
/member.php?action=list&page=1&sortorder=[SQL]
/member.php?action=list&page=1&sortorder=username&perpage=[SQL]
/member.php?action=passwdsend&resetid=blah&id=2[SQL]
/search.php?&sortby=dateline&sort=DESC&q=open&forums%5B[SQL]%5D
/post.php?action=edit&page=1&PID=1[SQL]
/post.php?action=post&FID=1[SQL]

Arbitrary Command Execution
A malicious user can execute arbitrary commands by simply sending a
private message to the admin with the command embedded in the message or
post a message with an embedded command in it (the command will be
silently executed).

Below are some examples of administrative commands that can be placed in
an image tag or a malicious link:
/cp_forums.php?do=remove&id=1
/cp_usergroup.php?do=remove&UGID=1
/cp_ipbans.php?action=do_delip&ipid=1

Other types of administrative commands:
/myhome.php?action=delmsg&box=inbox&id=all
/post.php?action=edit&PID=1&send=1&delete=yes
/moderator.php?action=announce&TID=1

OpenBB actually tries to filter out such attacks by filtering out certain
input. However, it does that in a flawed way.

Below is a code snippet from the '/lib/codeparse.php' file that is
responsible for the filtering:
case 'img':
if(!preg_match('#^(http|https)://(.*?)\.(gif|jpg|jpeg|png)$#', $inside) )
$return = '[ invalid image ]';
else
$return = '<img src="' .str_replace('"', '', $inside). '" alt="User-Posted

Image (tm)" border="0" />';
break;

All an attacker has to do in order to have the command executed
successfully is make sure the URL within the image tag ends with an
allowed extension. This is not very safe at all because we can make up a
variable, add a good extension and the code is still ran.

For example:
/post.php?action=edit&PID=1&send=1&delete=yes&image=blah.jpg

ADDITIONAL INFORMATION

The information has been provided by <mailto:security@gulftech.org>
JeiAr.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]