lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-id: <456A5C78.1090106@mayhemiclabs.com>
Date: Sun, 26 Nov 2006 22:33:12 -0500
From: Mayhemic Labs Security <security@...hemiclabs.com>
To: full-disclosure@...ts.grok.org.uk,  bugtraq@...urityfocus.com
Subject: MHL-2006-003 Public Advisory: "mboard" file
	creation issue

MHL-2006-004 - Public Advisory

+-----------------------------------------------------------+
|                mboard Security Issue                      |
+-----------------------------------------------------------+


PUBLISHED ON
  November 26th, 2006


PUBLISHED AT
  http://www.mayhemiclabs.com/advisories/MHL-2006-004.txt
  http://www.mayhemiclabs.com/wiki/wikka.php?wakka=MHL2006004


PUBLISHED BY
  Mayhemic Labs
  http://www.mayhemiclabs.com

  security AT mayhemiclabs DOT com
  GPG key: 0x56143F84


APPLICATION
  MBoard - PHP message board
  http://www.phpjunkyard.com/php-message-board.php

  "MBoard is a PHP message board script (a simple forum)."


AFFECTED VERSIONS
  Versions 1.22 and below


ISSUES
  MBoard does not check the Post ID for malicious data when replying,
  allowing an attacker to create blank files on the system wherever
  the web server has write access.

  Example: An attacker can reply to a message, and edit the "orig_id"
  variable to something malicious ("../../../../../../tmp/ZOMGHAX")
  mboard will then create the specified file (appending the
  configured extension.

WORKAROUNDS
	Enabling Magic Quotes will negate the issue.


SOLUTIONS
	Upgrade to version 1.3


REFERENCES
	MBoard - http://www.phpjunkyard.com/php-message-board.php


TIMELINE
	October 11th, 2006
		Vendor/Developer Notified
		Vendor/Developer Response Recieved

	October 25th, 2006
		Vendor/Developer Followup
		Vendor/Developer Response Recieved
		
	November 16th, 2006
		Vendor/Developer Followup

	November 18th, 2006
		New Version Released
		
	November 26th, 2006
		Advisory Released

				
ADDITIONAL CREDIT
  N/A

LICENSE
  Creative Commons Attribution-ShareAlike License
  http://creativecommons.org/licenses/by-sa/2.5

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ