lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44.0209251147490.18333-100000@kerri.darla.co.uk>
From: gossi at lab6.com (Gossi The Dog)
Subject: Re: Information Disclosure with Invision Board installation (fwd)

Well, the developers have responded;

http://forums.invisionboard.com/index.php?act=ST&f=30&t=23569

>From Matt, "IBF Project Leader"

--------------------- snip -----------------------------

"Whilst disclosing phpinfo.php to the world does expose installed modules, 
paths and such - it's hardly the biggest security risk.

Any PHP script that fails tells the viewer the full path to the script, as 
does perl/CGI, etc.

The information that phpinfo.php provides about the server can be got by a 
simple desktop application as the information is quite freely distributed 
(the basic idea of web protocols).

FYI, we only set the SSL server up to test a few ideas, we use a merchant 
account to process our credit card orders - they are not processed on our 
server.

Edit:

I've set up security@...isionboard.com, so I will actually get the email 
this time rather than it be eaten up in our system.

I guess if this is the only "security" breach they can find with Invision 
Board, we're doing well  "

"I didn't receive any email, this is the first I've heard about it - my 
email address is readily available and my signature says that I'm the lead 
developer and should be the first point of contact in this case.

To make it easier, I've set up security@...isionboard.com - all of our 
unrouted mail is pretty much forwarded to dev/null because of the 
different systems we have tied into our mail system (and to reduce the 
amazing level of spam we get).

Yes, phpinfo.php discloses the server environment - but not a great deal 
more than one could find out by other means.

My point being, there is no need for a full scale panic over this. The 
phpinfo.php file has been distributed with Invision Board since day 1 and 
I've not heard of anyone having their server hacked over it.

I'll probably remove it in future releases to appease the over paranoid. 
"

--------------------- snip -----------------------------

Quite honestly, this is a bit worrying.  "Matt" seems to think that people 
can remotely obtain this kind of information due to the "the basic web 
protocols" without phpinfo.  This is complete rubbish.  Disclosing 
application paths on servers, PHP setup... etc is very much not possible 
via "basic web protocols".

If people are clued up enough to understand why this is a problem, I would 
suggest they mail their concerns to security@...isionboard.com.

Regards,
Gossi.


On Tue, 24 Sep 2002, Gossi The Dog wrote:

> 
> Since the vendors didn't bother to respond, I might as well forward this 
> on.
> 
> Basic jizt - Invision Board (all version) - installation guide copies 
> across phpinfo.php, a file which calls phpinfo().
> 
> Example;
> http://blahblahblah.corp.com/phpinfo.php
> 
> (just do a search on Google for "Invision Board" and append phpinfo.php to 
> the URL).
> 
> Why is this bad?  Well, duh.  It gives you system varibles, path names, 
> modules of apache, PHP setup, Apache module version numbers etc etc.
> 
> Note to vendors: please reply to security mail in the future.
> 
> #phrack whore
> 
> ---------- Forwarded message ----------
> Date: Mon, 23 Sep 2002 20:31:41 +0100 (BST)
> From: Gossi The Dog <gossi@...6.com>
> To: security@...isionboard.com
> Cc: support@...isionboard.com, gossi@...6.com
> Subject: Information Disclosure with Invision Board installation
> 
> 
> Hi,
> 
> Okay, how to explain this one...
> 
> The installation procedure for Invision Board advises to upload various 
> files and directorys.  One of these is 'phpinfo.php'.
> 
> Now, I'm sorry, but this is dumb.
> 
> Why?
> 
> Example.
> 
> http://forums.invisionboard.com/phpinfo.php
> 
> I can now tell you don't have PHP Safe mode installed, exactly what Apache 
> modules you have loaded, your full Apache SERVER_SOFTWARE (Apache/1.3.26 
> (Unix) mod_bwlimited/1.0 PHP/4.2.1 mod_log_bytes/0.3 FrontPage/5.0.2.2510 
> mod_ssl/2.8.9 OpenSSL/0.9.6b)...
> 
> etc.
> 
> 
> PHP modules, settings, system variables...  They're all out there.  Also, 
> note, your OpenSSL version is out of date and fully remotely exploitable 
> (I managed to obtain that from phpinfo.php - you had it hidden before, but 
> phpinfo.php discloses this information).
> 
> Do you agree this is a problem?
> 
> You need to modify the installation guide to say this file should *only* 
> be uploaded for diagnoises and debugging reasons, and possible move it to 
> a different folder (eg debug) to stop people uploading it by accident.  
> People also need to be reminded to *remove* the file if they upload it for 
> debugging purposes after they finish.
> 
> You also need to notify existing users of the software about the file.
> 
> I did a quick Google search for "Invision Board", and every single one of 
> the boards I tried (About 50) had the file.  Oops.
> 
> I'm planning to do some kind of bugtraq announcement after I've got a plan 
> of action from yourselves (and I've given you a decent grace period), 
> basically to make sure as many people as possible remove the file.
> 
> 
> Thanks muchly,
> 
> Gossi The Dog.
> 
> 




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ