[UNIX] myPHP Forum Unauthorized Access

From: SecuriTeam (support_at_securiteam.com)
Date: 03/22/05

  • Next message: SecuriTeam: "[EXPL] MailEnable Format String Vulnerability"
    To: list@securiteam.com
    Date: 22 Mar 2005 10:07:43 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      myPHP Forum Unauthorized Access
    ------------------------------------------------------------------------

    SUMMARY

    " <http://www.myphp.ws/> MyPHP Forum, an easy to set up and easy to use
    MySQL and PHP based forum. It is distributed freely under the GPL license.
    It was made generally for use on small to medium sized websites which need
    a clean and efficient forum but without all the bloat that generally comes
    with other forums."

    Lack of validation checks allows myPHP forum user to create new categories
    and invisible topics. You can also probably hide entire forum on somebody
    else's site.

    DETAILS

    Vulnerable Systems:
     * myPHP Forum versions 3.0 and prior

    Both forum.php and topic.php files have no validation checks. They are
    wide open. When visiting forums, click a forum category. In the URL bar,
    you'll see "fid=n", where n is the topic number. You can change this value
    to whatever value you want, for example, "fid=999999999".

    This will create a new empty forum folder that allows you to click the
    "new topic" link. This means that you can insert a message into forum
    "999999999" ... while this forum doesn't even exist in the forum index.

    The same stands for topic.php. If you click a topic, you'll see "tid=n".
    It is possible to post topics with arbitrary id numbers, thus hiding them
    inside the forum.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:terencentanio@root32.com>
    Terencentanio Enache.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[EXPL] MailEnable Format String Vulnerability"

    Relevant Pages

    • [UNIX] YaBB Forum member.vars CRLF Injection Privilege Escalation Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... YaBB Forum member.vars CRLF Injection Privilege Escalation Vulnerability ... input validation error within version 2.1 of YaBB Forum allows attackers ... their privileges to that of the forum Administrator. ...
      (Securiteam)
    • [NT] ASP-Dev Multiple Cross Site Scripting Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The bbcode parsed by the forum code allows attackers to input JavaScript ...
      (Securiteam)
    • [UNIX] My Little Forum XSS Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... My Little Forum is "a ... scripting vulnerability in the product allows remote attackers to insert ...
      (Securiteam)
    • [UNIX] My Little Forum SQL Injection
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... My Little Forum vulnerable to SQL Injection. ... If magic quotes are off you will have any admin/user password hash 'cause ... "You can be sure of succeeding in your attacks if you only ...
      (Securiteam)
    • [EXPL] Speedy ASP Forum User Pass Change (Exploit)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Speedy ASP Forum User Pass Change ... Forum is an Open Source ASP Discussion forum software designed to consume ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)