[UNIX] Multiple Vulnerabilities in MercuryBoard
From: SecuriTeam (support_at_securiteam.com)
Date: 01/25/05
- Previous message: SecuriTeam: "[NEWS] Multi Vendor fd_set Structure Bitmap Array Index Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 25 Jan 2005 18:50:12 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Multiple Vulnerabilities in MercuryBoard
------------------------------------------------------------------------
SUMMARY
<http://www.mercuryboard.com> MercuryBoard is "a powerful message board
system dedicated to raw speed with a mixture of features, ease of use, and
ease of customization coupled with expandability, and diverse language
services".
MercuryBoard has been found to contain multiple security vulnerabilities.
Certain files that come with it allow cross site scripting attacks, others
allow to inject arbitrary SQL statements, while others as well allow
disclosure of the true path under which the program has been installed.
DETAILS
Vulnerable Systems:
* MercuryBoard version 1.1.1 and prior
Immune Systems:
* MercuryBoard version 1.1.2 and newer
Full Path Disclosure:
Vulnerable code:
Let's look at original code from global.php line 604:
<?
...
// some base variables
$current = ceil($min / $num);
$string = null;
$pages = ceil($rows / $num);
$end = ($pages - 1) * $num;
...
?>
As we can see there isn't a control to $num and so if we simply assign to
$num the value 0 (or a non-numerical value), the script will be unable to
divide it, causing an error message to be displayed (This error message
contains the full path under which the program has been installed):
http://vulnerable/index.php?a=forum&f=2&min=0&n=0
Other scripts that come with MercuryBoard will reveal the full path by
simply accessing them:
* http://www.sitewithmercuryboard.com/lib/jpgraph/jpgraph_bar.php
* http://www.sitewithmercuryboard.com/lib/jpgraph/jpgraph_log.php
* http://www.sitewithmercuryboard.com/lib/jpgraph/jpgraph_polar.php
* http://www.sitewithmercuryboard.com/admincp/admin.php
* http://www.sitewithmercuryboard.com/func/[file] <--- All the PHP file
in the directory:
* active.php board.php constants.php cp.php
* debug.php email.php forum.php help.php login.php
* members.php mod.php pm.php post.php printer.php
* profile.php register.php search.php topic.php
Cross-Site Scripting (XSS):
Vulnerable code:
Let's look at the original code from /func/pm.php line 36:
<?
...
if (!isset($this->get['s'])) {
$this->get['s'] = null;
}
switch($this->get['s'])
{
case 'send':
return $this->send();
break;
case 'view':
return $this->view();
break;
case 'delete':
return $this->delete_pm();
break;
case 'clear':
return $this->clear();
break;
default:
return $this->folder();
break;
}
...
?>
As we can see there is a switch/case cycle that analyzes the content of
the 's' parameter, however in this cycle there isn't any check if we put
an unexpected value to the 's' parameter. This allows us to cause an XSS.
Example:
http://vulnerable/index.php?a=pm&s='><script>alert(document.cookie)</script>
Vulnerable code:
Let's look at the original code from /func/members.php line 35:
<?
...
if (!isset($this->get['l'])) {
$this->get['l'] = null;
} else {
$this->get['l'] = strtoupper($this->get['l']);
}
...
?>
As we can see, there isn't parsing methods for the processing of the
parameter 'l', therefore, nothing prevents us from doing an XSS attack
with such a URL as:
http://vulnerable/index.php?a=members&l='><script>alert(document.cookie)</script>
Other ways that you can cause a cross site scripting in MercuryBoard:
http://vulnerable/index.php?a='><script>alert(document.cookie)</script>
http://vulnerable/index.php?a=post&s='><script>alert(document.cookie)</script>
http://vulnerable/index.php?a=post&s=reply&t='><script>alert(document.cookie)</script>
http://vulnerable/index.php?a=pm&s=send&to='><script>alert(document.cookie)</script>
http://vulnerable/index.php?a=pm&s=send&to=2&re='><script>alert(document.cookie)</script>
http://vulnerable/index.php?a=cp&s='><script>alert(document.cookie)</script>
SQL Injection:
For the same reason because it's possible to cause XSS vulnerabilities as
described before, it's also possible to do SQL Injection attacks. But in
this case it's a non-critical bug, because we need first login as forum in
order to make a successful attack.
Example:
http://vulnerable/index.php?a=post&s=reply&t=0 UNION SELECT user_id,
user_password FROM mb_users /*
With this URL we get an error like this (verified only on MercuryBoard
1.1.0):
The used SELECT statements have a different number of columns
Solution:
MercuryBoard version 1.1.2 solves all of the above issues, the new version
can be downloaded from:
<http://www.mercuryboard.com/index.php?a=downloads>
http://www.mercuryboard.com/index.php?a=downloads
ADDITIONAL INFORMATION
The information has been provided by <mailto:trivero@jumpy.it> Alberto
Trivero.
The original article can be found at:
<http://www.codebug.org/index.php?subaction=showfull&id=1106604257&archive=&start_from=&ucat=1&> http://www.codebug.org/index.php?subaction=showfull&id=1106604257&archive=&start_from=&ucat=1&
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] Multi Vendor fd_set Structure Bitmap Array Index Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [UNIX] Multiples Vulnerabilities In JAWS
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Vulnerable Code:
... Cross site scripting is possible in the variable action, ... (Securiteam) - [EXPL] MercuryBoard SQL Injection (User-Agent)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... SQL injection vulnerability discovered
in MercuryBoard allows malicious ... sub found ... (Securiteam) - [UNIX] Multiple Vulnerabilities MetaDot Portal Server
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... SQL Injection: ...
query he can cause an error message to execute script into an unsuspecting ... users browser
thus causing a Cross Site Scripting attack. ... (Securiteam) - [UNIX] Cerberus Helpdesk Vulnerabilities
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Cerberus Helpdesk Vulnerabilities
... trigger SQL injection and cross site scripting vulnerabilities. ... Vulnerable
code: ... (Securiteam) - [UNIX] Multiple Vulnerabilities in XMB Forum (CSS, SQL Injection, Administrative Password Disclosure
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... A cross site scripting bug
exists in u2u.php as well. ... An SQL injection and a cross site-scripting bug in member.php
(only ... Yet more SQL injections and XSS vulnerabilities exists, ... (Securiteam)
