myPHP Forum v1, 2 & 3

From: Terencentanio Enache (terencentanio_at_root32.com)
Date: 03/18/05

  • Next message: GHC team: "possible SQL injection in Subdreamer"
    Date: 18 Mar 2005 11:11:55 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    ~ PHOX: myPHP Forum v1, 2 & 3 Exploits ~

    ###
    # Content
    ###

     - Credits
     - SMFDBPWNOCS
     - Solution
     - Contact

    ###
    # Credits
    ###

    Exploit discovered by Phoxpherus (Phorce), Phox (R&P), Terencentanio (Root32)

    ###
    # SMFDBPWNOCS - Stupid Mofo Database Spamming When No One Can See
    ###

    In short, forum.php and topic.php have no validation checks. They are wide open to do whatever you want.

    Let's use myphp.ws forums for example. You go to their forums, click a forum category. In the URL bar, you'll see "fid=n", where n is the topic number. Now, we can change this to whatever we want. Let's say, "fid=999999999". Nothing will be displayed, but we can still click the "new topic" link. By doing so, we can enter a message into forum "999999999" ... but that forum doesn't even exist.

    The same stands for topic.php. If you click a topic, you'll see "tid=n". We can again change this to anything we want, say "999999999", and post replies.

    This allows for spamming of a database, and no one can see it. Not tried, but you may even be able to start your own forums up.

    ###
    # Solution
    ###

    The solution I have used is:

    [PHP]
    $jym = $_GET['fid'];
    $lralg = "SELECT * FROM $db_forum WHERE fid = '$val'";
    $res = mysql_query($lralg);
    $hu = mysql_numrows($res);
    $i=0;
    while ($i < $hu) {
    $hysa = mysql_result($res,$i,"name");
    $i++;
    }
    if($hu == "0")
    {
    header("Location: index.php");
    }
    [/PHP]

    .. in forum.php. You can add a variant to topic.php to patch the other hole.

    ###
    # Contact
    ###

    Email: terencentanio.enache@btopenworld.com
    MSN: al_bhed_brother@microsoft.com


  • Next message: GHC team: "possible SQL injection in Subdreamer"