================================================ <------------------------------------------------> <------------#www.bright-shadows.net#------------> <------------------------------------------------> <--------------#theblacksheep&erik#--------------> <------------------------------------------------> ================================================ Advisory Information -------------------- Advisory Name : Information Disclosure Vulnerability in board51, forum51 and news51 Author : Marc Bromm <theblacksheepat_private> Germany Discover by : Marc Bromm <theblacksheepat_private> Germany Release Date : 8. Juli 2003 Application : forum51, board51 und news51 (textfile based forum, board and news system) Vendor Homepage : http://www.laforge-groups.de (German site) Vendor Status : notified Vulnerable Versions: board51: v1.0b, v2.0 (maybe older) forum51: v2.5b, v2.6b (maybe older) news51 : v1.0a, v1.5 (maybe older) Platforms : OS Independent, PHP Severity : High ######Overview: The 51 scripts are textbased webapplications (a forum, a board and a news system) which are not bad. The design is great and it has many functions. The official website is http://www.laforge-groups.de ######Exploit: 1. Get admin/user password hashes All user/admin information are stored in a file named "user.idx" in the "data" directory. So it is possible for you to open the files with your browser to get the information. For example: ~/newsdata/data/user.idx ~/forumdata/data/user.idx ~/boarddata/data/user.idx Then crack the md5 hash and hope that the admin has a not so good passwort. ######Vendor Response: They told me that no patch is available and that the user can protect that directoy with the special file but they think about fixing it in newer versions. Greetz to: Erik, (O_o)oOoOoOo. -- theblacksheepat_private -- http://www.fastmail.fm - I mean, what is it about a decent email service?
This archive was generated by hypermail 2b30 : Tue Jul 08 2003 - 13:33:28 PDT