Waraxe IT Security Portal
Login or Register
November 16, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 78
Members: 0
Total: 78
Full disclosure
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
4 vulnerabilities in ibmsecurity
32 vulnerabilities in IBM Security Verify Access
xlibre Xnest security advisory & bugfix releases
APPLE-SA-10-29-2024-1 Safari 18.1
SEC Consult SA-20241030-0 :: Query Filter Injection in Ping Identity PingIDM (formerly known as ForgeRock Identity Management) (CVE-2024-23600)
SEC Consult SA-20241023-0 :: Authenticated Remote Code Execution in Multiple Xerox printers (CVE-2024-6333)
APPLE-SA-10-28-2024-8 visionOS 2.1
APPLE-SA-10-28-2024-7 tvOS 18.1
APPLE-SA-10-28-2024-6 watchOS 11.1
APPLE-SA-10-28-2024-5 macOS Ventura 13.7.1
APPLE-SA-10-28-2024-4 macOS Sonoma 14.7.1
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> All other software -> IPB 2.x Error
Post new topicReply to topic View previous topic :: View next topic
IPB 2.x Error
PostPosted: Tue Aug 23, 2005 9:10 pm Reply with quote
kyth
Beginner
Beginner
Joined: Aug 23, 2005
Posts: 2




Going to start off by saying i'm almost 90% sure this is not exploitable.. so if you're a script kiddie looking for a freebie.. not in this post.

The only reason i'm bringing this bug up to the public is because it's a very odd bug and I think people could learn from it - also i'm rather confused by it's behavior.

In the search of IPB 2.x you have a variable called lastdate. This is used to put in html at the form at the very bottom right to put 'selected' at the end of the forum id you specify. This way it will know what forum to have selected.

The code is pretty simple and their first mistake was putting an unsanitized user input variable inside regexp.

Now.. I thought it was unsanitized at first, but after later inspection and messing with it some, it appears two spaces would make it so you cannot mess with it at all.

Code:
if ( $_GET['lastdate'] )
{
$lastdate = preg_replace( "#(value=[\"']{".$_GET['lastdate']."}[\"'])#i", "\\1 selected='selected'", $lastdate );
echo $lastdate;
}


If you look at this part:

Code:
.$_GET['lastdate'].


If you space out the two periods, it is completely clean and you will not be able to mess with it. (I think! After spacing them out and trying again, it would no longer give me the errors and not mess with the page)

If you put in | or || into the lastdate variable, the whole page will go whack because you're modifying most of the pages html and breaking a lot of it so some of it will appear.

I thought this may lead to an xss whole, but I don't believe so.

If you do something as such:

&lastdate=){0}(test)|(ljsfdlkj

It will replace all instances of "<b>test</b>" with selected='selected'.
View user's profile Send private message
IPB 2.x Error
www.waraxe.us Forum Index -> All other software
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.034 Seconds