lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 26 Apr 2005 19:30:02 -0000
From: Terencentanio Enache <terencentanio.enache@...penworld.com>
To: bugtraq@...urityfocus.com
Subject: myPHP Forum v3 (possible v1 & 2 also) Identification 'spoof'




~ PHOX: myPHP v3 (Final) 'Sender/Poster Exploit' ~

###
# Content
###

 - Credits
 - 'sploit
 - Solution

###
# Credits
###

Exploit discovered by Phox/Terencentanio/Phoxpherus of Root32.

Email: terencentanio.enache@...penworld.com / terencentanio@...t32.com

###
# 'sploit
###

There are two exploits here.

#1. Posting as someone else.

It's rather nooby, but the poster username is submitted in the form. Easily changed with a bit of JavaScript or an external form (JS is easier)

-----------------
JavaScript: void(document.input.nbuser.value="Admin"); alert(document.input.nbuser.value); 
-----------------

This will change the poster username to "Admin" (can be edited to whatever username you like) and then it'll confirm success by alerting with the new name.

Then, you type your subject and body and post.

#2. Sending messages as someone else.

This is the same as the post one, but the JS is a bit different.

Load the page to send a PM to a user, then enter into the URL bar:

-----------------
JavaScript: void(document.forms[1].sender.value="Admin"); alert(document.forms[1].sender.value);
-----------------

When you send, it'll appear to them as being from "Admin" or whatever you change it to. 

You can really do whatever you want with this. 

###
# Solution
###

To solve these, you'll have to open post.php and privmsg.php

In post.php, pay a visit to line 82 and change "$nbuser = $_POST['nbuser'];" into "$nbuser = $_COOKIE['nbuser'];"

In privmsg.php, line 208, change "$sender = $_POST['sender'];" to "$sender = $_POST['sender'];"

There may be some other things that need changing. Due to limits on my time, and the fact that I found this sploit and am writing this while I should be working on a site, I can't go into everything and do proper tests, etc.

Vendor will be notified as soon as possible. Hopefully he'll take notice of this one (he ignored the last one)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ