Several bugs found in "Spyke's PHP Board"

From: Marc Bromm (theblacksheepat_private)
Date: Mon Jun 09 2003 - 10:25:19 PDT

Next message: :: Operash ::: "[LeapFTP] "PASV" Reply Buffer Overflow Vulnerability"

Previous message: :: Operash ::: "[SmartFTP] Two Buffer Overflow Vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 ================================================
<------------------------------------------------>
<------------#www.bright-shadows.net#------------>
<------------------------------------------------>
<--------------#theblacksheep&erik#-------------->
<------------------------------------------------>
 ================================================

Advisory Information
--------------------
Advisory Name      : Several bugs found in "Spyke's PHP Board"
Author             : Marc Bromm <theblacksheepat_private> Germany
Discover by        : Marc Bromm <theblacksheepat_private> Germany
Release Date       : 9. June 2003
Application        : Spyke's PHP Board (textfile based board)
Vendor Homepage    : http://www.spyke-online.de
Vulnerable Versions: v2.1 (maybe older)
Platforms          : OS Independent, PHP
Severity           : High 

######Overview:

"Spyke's PHP Board" is a small textfile based PHP board. You have to
register to write messages. Also an admin area exist. There you can
add/delete threads, add/delete topics. 
The website www.spyke-online.de is the official website where you can get
it.

######Exploit:

1. Get userinformation
 
All information of a user like password (plaintext), e-mail, icq number,
signatur ... are stored in textfiles in the directory "user/".
Every file has the name of the user.

So if you register as "theblacksheep" your information are stored in:

user/theblacksheep.txt

So it is possible for you to open the files with your browser to get the
information. 


2. Get the admin password and username

In the root directory you can find a file called "info.dat". It looks
like:

      <?php
	$boardname="Spykes PHP Board";
	$hintergrund="#C0C0C0";
	$linkfarbe="#333333";
	$table1="#606060";
	$table2="#F0F0F0";
	$table3="#A0A0A0";
	$text="#000000";
	$adminname="adminname";
	$adminpw="adminpassword";
	$topicdelzahl="15";
	$phpendung = ".php";
      ?>

So only open this file with your browser and get the admin information.
Then you can log in as admin. So you have full control.

Also some more bugs exist. So it is also possible to:

--> Create topic in not existing thread (found by DigitalAcid)
--> Change anyone's account without knowing their password (FirebirdGM)


######Fix:

It is not possible to fix that holes. (You can do it but then you have to
change everything [how the whole information are stored]) 

######Vendor Response:

For "Spyke PHP Board" no support exist.

Greetz to:

erik, FirebirdGM, DigitalAcid

==================================================
-- 
  
  theblacksheepat_private

-- 
http://www.fastmail.fm - Or how I learned to stop worrying and
                          love email again

Next message: :: Operash ::: "[LeapFTP] "PASV" Reply Buffer Overflow Vulnerability"
Previous message: :: Operash ::: "[SmartFTP] Two Buffer Overflow Vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 09 2003 - 14:28:07 PDT