|
|
|
|
|
|
IT Security and Insecurity Portal |
|
Posted: Sun Aug 21, 2005 6:48 am |
|
|
lunix |
Regular user |
|
|
Joined: Aug 17, 2005 |
Posts: 16 |
|
|
|
|
|
|
|
Vipsta wrote: | What about using the same vulnerability to make a user an administrator? Or atleast something more interesting then "Logout". |
I don't think you understand what the script is doing. |
|
|
|
|
Posted: Sun Aug 21, 2005 10:11 am |
|
|
y3dips |
Valuable expert |
|
|
Joined: Feb 25, 2005 |
Posts: 281 |
Location: Indonesia |
|
|
|
|
|
|
Vipsta wrote: | What about using the same vulnerability to make a user an administrator? Or atleast something more interesting then "Logout". |
i think it would be good if u read all the thread from the first
so you wont get this thread back to "zero" again |
|
_________________ IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
|
|
|
Posted: Sun Aug 21, 2005 10:25 am |
|
|
y3dips |
Valuable expert |
|
|
Joined: Feb 25, 2005 |
Posts: 281 |
Location: Indonesia |
|
|
|
|
|
|
subzero wrote: | mm accesing script to add user as admin in /admin/ folder would ask admin to re-authenticate him/herself
hard to access /admin/ folder now.
but you can delete specific posting then,
whenever an admin view the thread.
hehe maybe someone out there know how to bypass it . |
yupe, i agree with u, all possible to do is something "limited" that admin can do without re-authenticate ( as we know Now to access admin folder still need to re-authenticate )
how about in other forum or bulettin board *_^ .. we should give a try |
|
_________________ IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
Posted: Sun Aug 21, 2005 11:21 am |
|
|
lunix |
Regular user |
|
|
Joined: Aug 17, 2005 |
Posts: 16 |
|
|
|
|
|
|
|
The only way to get root on phpbb now is to get the admin hash and crack it. All the fun stopped when phpbb realised EVERY admin cookie was the same. |
|
|
|
|
Posted: Sun Aug 21, 2005 12:18 pm |
|
|
oxygenne |
Advanced user |
|
|
Joined: Apr 13, 2005 |
Posts: 52 |
|
|
|
|
|
|
|
What about saving some page of a forum offline copy the source of the code(modify it to log the stuff then redirect) and put it in a index.php file |
|
|
|
|
Posted: Sun Aug 21, 2005 3:04 pm |
|
|
subzero |
Valuable expert |
|
|
Joined: Mar 16, 2005 |
Posts: 42 |
|
|
|
|
|
|
|
|
|
|
|
Posted: Sun Aug 21, 2005 3:31 pm |
|
|
y3dips |
Valuable expert |
|
|
Joined: Feb 25, 2005 |
Posts: 281 |
Location: Indonesia |
|
|
|
|
|
|
well my friends , ive found that vbulletin (3.0.7 also prior version) and PUNBB (1,26 alsso prior version) are vulnerable with this kind of threat too , ive already post to the vendor (with detail exploitation) also to bugtraq (with no exploitation details )
interesting huh, just imaging how "mess" this could be |
|
_________________ IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
|
|
|
Posted: Sun Aug 21, 2005 3:57 pm |
|
|
subzero |
Valuable expert |
|
|
Joined: Mar 16, 2005 |
Posts: 42 |
|
|
|
|
|
|
|
so we have 3-4 vulnerable now and not forgetting from the bug finder himself.
so this vulnerable affect most of the cms out there.
you will able to do more such as adding admin user then ,get database if the script dont need you to re-autheticate as admin.
y3dips, yakin boleh. hehehe |
|
|
|
|
|
|
|
|
Posted: Mon Aug 22, 2005 4:27 am |
|
|
y3dips |
Valuable expert |
|
|
Joined: Feb 25, 2005 |
Posts: 281 |
Location: Indonesia |
|
|
|
|
|
|
subzero wrote: | so we have 3-4 vulnerable now and not forgetting from the bug finder himself.
so this vulnerable affect most of the cms out there.
you will able to do more such as adding admin user then ,get database if the script dont need you to re-autheticate as admin.
y3dips, yakin boleh. hehehe |
yupe, if im not wrong it affect in all web applicatian that using BBCode without doing any modification or parsing to check user input , but the level are various , like what easyex found in phpbb and php-fusion also what i found in vbulletin (need re-authicate) and punBB (no need) , and many ..
but i think is not honest to feed the kiddies with fresh exploit
:soal boleh or tidak sih , moral aja sech |
|
_________________ IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
|
|
|
Posted: Mon Aug 22, 2005 5:25 am |
|
|
Easyex |
Regular user |
|
|
Joined: Aug 19, 2005 |
Posts: 6 |
|
|
|
|
|
|
|
y3dips wrote: |
well my friends , ive found that vbulletin (3.0.7 also prior version) and PUNBB (1,26 alsso prior version) are vulnerable with this kind of threat too , ive already post to the vendor (with detail exploitation) also to bugtraq (with no exploitation details )
interesting huh, just imaging how "mess" this could be |
Err..
Bad luck, I found the vulnerability many weeks ago
PHP-Fusion, PhpBB, vBulletin, Invision Power Board, SMF and more..
I have reported it to all the vendors above already.
Basically anything that allows BBcode [img][/img] tags is most likely vulnerable.
Enjoy. |
|
|
|
|
|
|
|
|
Posted: Mon Aug 22, 2005 8:06 am |
|
|
lunix |
Regular user |
|
|
Joined: Aug 17, 2005 |
Posts: 16 |
|
|
|
|
|
|
|
It would work in anything that allows people to post images.
The flaw isnt in bbcode, its in browsers.
I dont think they will even bother to patch this.
Parsering EVERY image everytime the page is loaded would lag.
An obvious solution would be to not allow linking to remote images. Everytime someone wanted to post an image they would have to upload it either from thier computer or a remote lacation so the forum can download it, then it would only need to be parsered once.
Either way, it would take a lot of work to patch something that isnt critical.
I dont think they will bother. |
|
|
|
|
|
|
|
|
Posted: Mon Aug 22, 2005 9:08 am |
|
|
Easyex |
Regular user |
|
|
Joined: Aug 19, 2005 |
Posts: 6 |
|
|
|
|
|
|
|
Yeah exactly right it would lag...
The best thing for them to do is require confirmination for functions so that it cant be executed, that's what phpbb is doing i believe but it's not that bad since you cant to administrator functions.
On PHP-Fusion on the other hand you can perform administrator functions so some people will have a fair bit to fix up, There current patch checks the height and width to check if its an image but there is a way to get passed that.
All the others i have not gone over but some you should be able to do some administrator functions on different cms/forums.
In SMF you can lock topics, I didn't look at it much that was the only thing i tested but I'm guessing there are other things you can do.
Regards,
Easyex. |
|
|
|
|
|
|
|
|
Posted: Mon Aug 22, 2005 9:11 am |
|
|
shai-tan |
Valuable expert |
|
|
Joined: Feb 22, 2005 |
Posts: 477 |
|
|
|
|
|
|
|
Finnaly something positive
I dont really see this as much of a threat because I never allow avatar off site linking anyway. A lot of sites I have been on do the same. But the likes of Role Playing web sites will be effected. |
|
_________________ Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
Posted: Mon Aug 22, 2005 9:17 am |
|
|
Easyex |
Regular user |
|
|
Joined: Aug 19, 2005 |
Posts: 6 |
|
|
|
|
|
|
|
It is a threat to other forums/cms
It just depends on how well it's coded and it's authentication.
On PHP-Fusion you can delete members, delete shout box posts, ban users, delete admins and other things.
SMF you can lock topics and probally do some other stuff
And im sure there are a few other systems out there where you can do administator functions.
Anyways.. have fun. |
|
|
|
|
Posted: Mon Aug 22, 2005 10:12 am |
|
|
kizkur |
Regular user |
|
|
Joined: Dec 04, 2004 |
Posts: 11 |
|
|
|
|
|
|
|
i have proven in my server login.php?logout=true"); and work good
as I can erase a post or a user? one example please
sorry by my english
thx |
|
|
|
|
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 3 of 5
Goto page Previous1, 2, 3, 4, 5Next
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|