lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 09 Jun 2003 09:25:19 -0800
From: "Marc Bromm" <theblacksheep@...tmail.fm>
To: bugtraq@...urityfocus.com
Subject: Several bugs found in "Spyke's PHP Board"


 ================================================
<------------------------------------------------>
<------------#www.bright-shadows.net#------------>
<------------------------------------------------>
<--------------#theblacksheep&erik#-------------->
<------------------------------------------------>
 ================================================

Advisory Information
--------------------
Advisory Name      : Several bugs found in "Spyke's PHP Board"
Author             : Marc Bromm <theblacksheep@...tmail.fm> Germany
Discover by        : Marc Bromm <theblacksheep@...tmail.fm> Germany
Release Date       : 9. June 2003
Application        : Spyke's PHP Board (textfile based board)
Vendor Homepage    : http://www.spyke-online.de
Vulnerable Versions: v2.1 (maybe older)
Platforms          : OS Independent, PHP
Severity           : High 

######Overview:

"Spyke's PHP Board" is a small textfile based PHP board. You have to
register to write messages. Also an admin area exist. There you can
add/delete threads, add/delete topics. 
The website www.spyke-online.de is the official website where you can get
it.

######Exploit:

1. Get userinformation
 
All information of a user like password (plaintext), e-mail, icq number,
signatur ... are stored in textfiles in the directory "user/".
Every file has the name of the user.

So if you register as "theblacksheep" your information are stored in:

user/theblacksheep.txt

So it is possible for you to open the files with your browser to get the
information. 


2. Get the admin password and username

In the root directory you can find a file called "info.dat". It looks
like:

      <?php
	$boardname="Spykes PHP Board";
	$hintergrund="#C0C0C0";
	$linkfarbe="#333333";
	$table1="#606060";
	$table2="#F0F0F0";
	$table3="#A0A0A0";
	$text="#000000";
	$adminname="adminname";
	$adminpw="adminpassword";
	$topicdelzahl="15";
	$phpendung = ".php";
      ?>

So only open this file with your browser and get the admin information.
Then you can log in as admin. So you have full control.

Also some more bugs exist. So it is also possible to:

--> Create topic in not existing thread (found by DigitalAcid)
--> Change anyone's account without knowing their password (FirebirdGM)


######Fix:

It is not possible to fix that holes. (You can do it but then you have to
change everything [how the whole information are stored]) 

######Vendor Response:

For "Spyke PHP Board" no support exist.

Greetz to:

erik, FirebirdGM, DigitalAcid

==================================================
-- 
  
  theblacksheep@...tmail.fm

-- 
http://www.fastmail.fm - Or how I learned to stop worrying and
                          love email again

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ