[Full-Disclosure] Information Disclosure with Invision Board installation (fwd)

From: Gossi The Dog (gossiat_private)
Date: Tue Sep 24 2002 - 15:11:55 PDT

Next message: Rossen: "[Full-Disclosure] Re: Information Disclosure with Invision Board installation (fwd)"

Previous message: Gossi The Dog: "Information Disclosure with Invision Board installation (fwd)"
Next in thread: Rossen: "[Full-Disclosure] Re: Information Disclosure with Invision Board installation (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Since the vendors didn't bother to respond, I might as well forward this 
on.

Basic jizt - Invision Board (all version) - installation guide copies 
across phpinfo.php, a file which calls phpinfo().

Example;
http://blahblahblah.corp.com/phpinfo.php

(just do a search on Google for "Invision Board" and append phpinfo.php to 
the URL).

Why is this bad?  Well, duh.  It gives you system varibles, path names, 
modules of apache, PHP setup, Apache module version numbers etc etc.

Note to vendors: please reply to security mail in the future.

#phrack whore

---------- Forwarded message ----------
Date: Mon, 23 Sep 2002 20:31:41 +0100 (BST)
From: Gossi The Dog <gossiat_private>
To: securityat_private
Cc: supportat_private, gossiat_private
Subject: Information Disclosure with Invision Board installation


Hi,

Okay, how to explain this one...

The installation procedure for Invision Board advises to upload various 
files and directorys.  One of these is 'phpinfo.php'.

Now, I'm sorry, but this is dumb.

Why?

Example.

http://forums.invisionboard.com/phpinfo.php

I can now tell you don't have PHP Safe mode installed, exactly what Apache 
modules you have loaded, your full Apache SERVER_SOFTWARE (Apache/1.3.26 
(Unix) mod_bwlimited/1.0 PHP/4.2.1 mod_log_bytes/0.3 FrontPage/5.0.2.2510 
mod_ssl/2.8.9 OpenSSL/0.9.6b)...

etc.


PHP modules, settings, system variables...  They're all out there.  Also, 
note, your OpenSSL version is out of date and fully remotely exploitable 
(I managed to obtain that from phpinfo.php - you had it hidden before, but 
phpinfo.php discloses this information).

Do you agree this is a problem?

You need to modify the installation guide to say this file should *only* 
be uploaded for diagnoises and debugging reasons, and possible move it to 
a different folder (eg debug) to stop people uploading it by accident.  
People also need to be reminded to *remove* the file if they upload it for 
debugging purposes after they finish.

You also need to notify existing users of the software about the file.

I did a quick Google search for "Invision Board", and every single one of 
the boards I tried (About 50) had the file.  Oops.

I'm planning to do some kind of bugtraq announcement after I've got a plan 
of action from yourselves (and I've given you a decent grace period), 
basically to make sure as many people as possible remove the file.


Thanks muchly,

Gossi The Dog.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Rossen: "[Full-Disclosure] Re: Information Disclosure with Invision Board installation (fwd)"
Previous message: Gossi The Dog: "Information Disclosure with Invision Board installation (fwd)"
Next in thread: Rossen: "[Full-Disclosure] Re: Information Disclosure with Invision Board installation (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 24 2002 - 16:05:12 PDT