Product: Another PHP Program - APBoard
Versions: tested on 2.02, 2.03
Vulnerability: post threads to protected forums and possibility to hijack
forum-password
Date: November 12, 2002
Discovered by: ProXy <proxy (at) es-crew (dot) de [email concealed]>
Introduction:
Normal Users can submit threads to password protected forums
and possibly hijack the forum-password with some referer logging script
I have already informed APP about this vulnerability!
Exploit:
1, register an account on vuln board
2, go to any forum and klick on "Neues Thema"
3, open sourcecode of this site and scroll down to the following lines:
<---code--->
<INPUT TYPE="hidden" NAME="sess_id" VALUE="">
<INPUT TYPE="hidden" NAME="postit" VALUE="TRUE">
<INPUT TYPE="hidden" NAME="insertinto" VALUE="1">
<INPUT TYPE="hidden" NAME="BoardID" VALUE="1">
<INPUT CLASS="button" TYPE="submit" NAME="new_topic" VALUE="Thema posten">
<INPUT CLASS="button" TYPE="submit" NAME="preview_topic" VALUE="Vorschau">
<---code--->
4, edit the "insertinto" value of the forum where you want to submit the
new thread.
eg: <INPUT TYPE="hidden" NAME="insertinto" VALUE="12">
5, save file local
6, open file and write your text, then click "Thema posten" and the new
thread is posted to the protected forum
Another Bug in this Board is that if a user logs into a protected forum
the forum-password will be shown on the title-bar in plaintext
eg: http://www.your-domain.com/apboard/thread.php3?
id=999&passwort=1&thepasswordhere
you could create a referer-logging script and link this in the posted
thread of the protected forum.
if any user clicks on the link the plaintext password would therefore be
saved in the logs of the attacker
- ProXy
- http://www.es-crew.de
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666