APBoard Protected Forum Thread Posting漏洞

APBoard Protected Forum Thread Posting漏洞

漏洞ID 1203411 漏洞类型 其他
发布时间 2002-12-31 更新时间 2002-12-31
图片[1]-APBoard Protected Forum Thread Posting漏洞-安全小百科CVE编号 CVE-2002-2398
图片[2]-APBoard Protected Forum Thread Posting漏洞-安全小百科CNNVD-ID CNNVD-200212-310
漏洞平台 N/A CVSS评分 5.0
|漏洞来源
https://cxsecurity.com/issue/WLB-2007110006
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-310
|漏洞详情
APBoard2.02和2.03版本newthreadposting页面存在漏洞。远程攻击者通过修改insertinto参数给受保护的论坛发帖子。
|漏洞EXP


Product: Another PHP Program - APBoard

Versions: tested on 2.02, 2.03

Vulnerability: post threads to protected forums and possibility to hijack

forum-password

Date: November 12, 2002

Discovered by: ProXy <proxy (at) es-crew (dot) de [email concealed]>

Introduction:

Normal Users can submit threads to password protected forums

and possibly hijack the forum-password with some referer logging script

I have already informed  APP about this vulnerability!

Exploit:

1, register an account on vuln board

2, go to any forum and klick on "Neues Thema"

3, open sourcecode of this site and scroll down to the following lines:

<---code--->

<INPUT TYPE="hidden" NAME="sess_id" VALUE="">

<INPUT TYPE="hidden" NAME="postit" VALUE="TRUE">

<INPUT TYPE="hidden" NAME="insertinto" VALUE="1">

<INPUT TYPE="hidden" NAME="BoardID" VALUE="1">

<INPUT CLASS="button" TYPE="submit" NAME="new_topic" VALUE="Thema posten">

<INPUT CLASS="button" TYPE="submit" NAME="preview_topic" VALUE="Vorschau">

<---code--->

4, edit the "insertinto" value of the forum where you want to submit the

new thread.

eg: <INPUT TYPE="hidden" NAME="insertinto" VALUE="12">

5, save file local

6, open file and write your text, then click "Thema posten" and the new

thread is posted to the protected forum

Another Bug in this Board is that if a user logs into a protected forum

the forum-password will be shown on the title-bar in plaintext

eg: http://www.your-domain.com/apboard/thread.php3?

id=999&passwort=1&thepasswordhere

you could create a referer-logging script and link this in the posted

thread of the protected  forum.

if any user clicks on the link the plaintext password would therefore be

saved in the logs of the attacker

- ProXy

- http://www.es-crew.de
|参考资料

来源:BID
名称:6167
链接:http://www.securityfocus.com/bid/6167
来源:XF
名称:apboard-protected-forum-bypass(10611)
链接:http://www.iss.net/security_center/static/10611.php
来源:SREASON
名称:3332
链接:http://securityreason.com/securityalert/3332
来源:BUGTRAQ
名称:20021112APBoard-postthreadstoprotectedforumsandpossibilitytohijackforum-password
链接:http://online.securityfocus.com/archive/1/299536

相关推荐: Glftpd Remote Vulnerabilities

Glftpd Remote Vulnerabilities 漏洞ID 1104408 漏洞类型 Input Validation Error 发布时间 1999-12-23 更新时间 1999-12-23 CVE编号 N/A CNNVD-ID N/A 漏洞平台…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享