Date: 18 Mar 2005 11:11:55 -0000
From: Terencentanio Enache <terencentanio@...t32.com>
To: bugtraq@...urityfocus.com
Subject: myPHP Forum v1, 2 & 3




~ PHOX: myPHP Forum v1, 2 & 3 Exploits ~

###
# Content
###

 - Credits
 - SMFDBPWNOCS
 - Solution
 - Contact

###
# Credits
###

Exploit discovered by Phoxpherus (Phorce), Phox (R&P), Terencentanio (Root32)

###
# SMFDBPWNOCS - Stupid Mofo Database Spamming When No One Can See
###

In short, forum.php and topic.php have no validation checks. They are wide open to do whatever you want.

Let's use myphp.ws forums for example. You go to their forums, click a forum category. In the URL bar, you'll see "fid=n", where n is the topic number. Now, we can change this to whatever we want. Let's say, "fid=999999999". Nothing will be displayed, but we can still click the "new topic" link. By doing so, we can enter a message into forum "999999999" ... but that forum doesn't even exist. 

The same stands for topic.php. If you click a topic, you'll see "tid=n". We can again change this to anything we want, say "999999999", and post replies.

This allows for spamming of a database, and no one can see it. Not tried, but you may even be able to start your own forums up. 

###
# Solution
###

The solution I have used is:

[PHP]
$jym = $_GET['fid'];
$lralg = "SELECT * FROM $db_forum WHERE fid = '$val'";
$res = mysql_query($lralg);
$hu = mysql_numrows($res);
$i=0;
while ($i < $hu) {
$hysa = mysql_result($res,$i,"name");
$i++;
}
if($hu == "0")
{
header("Location: index.php");
}
[/PHP]

.. in forum.php. You can add a variant to topic.php to patch the other hole.

###
# Contact
###

Email: terencentanio.enache@...penworld.com
MSN: al_bhed_brother@...rosoft.com

Powered by blists - more mailing lists