lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050318111155.11346.qmail@www.securityfocus.com>
Date: 18 Mar 2005 11:11:55 -0000
From: Terencentanio Enache <terencentanio@...t32.com>
To: bugtraq@...urityfocus.com
Subject: myPHP Forum v1, 2 & 3




~ PHOX: myPHP Forum v1, 2 & 3 Exploits ~

###
# Content
###

 - Credits
 - SMFDBPWNOCS
 - Solution
 - Contact

###
# Credits
###

Exploit discovered by Phoxpherus (Phorce), Phox (R&P), Terencentanio (Root32)

###
# SMFDBPWNOCS - Stupid Mofo Database Spamming When No One Can See
###

In short, forum.php and topic.php have no validation checks. They are wide open to do whatever you want.

Let's use myphp.ws forums for example. You go to their forums, click a forum category. In the URL bar, you'll see "fid=n", where n is the topic number. Now, we can change this to whatever we want. Let's say, "fid=999999999". Nothing will be displayed, but we can still click the "new topic" link. By doing so, we can enter a message into forum "999999999" ... but that forum doesn't even exist. 

The same stands for topic.php. If you click a topic, you'll see "tid=n". We can again change this to anything we want, say "999999999", and post replies.

This allows for spamming of a database, and no one can see it. Not tried, but you may even be able to start your own forums up. 

###
# Solution
###

The solution I have used is:

[PHP]
$jym = $_GET['fid'];
$lralg = "SELECT * FROM $db_forum WHERE fid = '$val'";
$res = mysql_query($lralg);
$hu = mysql_numrows($res);
$i=0;
while ($i < $hu) {
$hysa = mysql_result($res,$i,"name");
$i++;
}
if($hu == "0")
{
header("Location: index.php");
}
[/PHP]

.. in forum.php. You can add a variant to topic.php to patch the other hole.

###
# Contact
###

Email: terencentanio.enache@...penworld.com
MSN: al_bhed_brother@...rosoft.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ