SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   XMB Forum Vendors:   Xmbforum.com
XMB Group Magic Lantern Forum Software Discloses Log Files and Server Installation Path Information to Remote Users
SecurityTracker Alert ID:  1004318
SecurityTracker URL:  http://securitytracker.com/id/1004318
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 17 2002
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 1.6b Final
Description:   Several vulnerabilities were reported in the XMB Magic Lantern web forum software. A remote user can view log file information and can determine the server's installation path. Also, several cross-site scripting vulnerabilities exist, allowing remote users to steal user and administrator authentication cookies.

It is reported that a remote user can request the 'cplogfile.log' from the server to view the following type of log file information:

USER|#||#|IP|#||#|DATE|#||#|URL

A remote user can also request the 'index_log.log' from servers that are not running Microsoft Internet Information Server to view the following type of log file information:

REMOTE_ADDR,HTTP_CLIENT_IP,host,HTTP_USER_AGENT,HTTP_REFERER,HTTP_COOKIE,date

A remote user may be able to determine the installation path of the server software if the index_log.log file does not have the proper permissions. If the file is not set with 777 (read/write/execute) permissions, the 'add_index.php' script will generate errors that indicate the full path name of the script.

Several cross-site scripting flaws were reported. Because the software uses cookies for authentication, these bugs can allow remote users to steal the cookies of other users and administrators to gain access to their accounts.

A remote user can create a profile and enter scripting in the MSN box. Then, when another target (victim) user views the profile, the scripting will be executed by the target user's browser. The code will run in the security context of the web site running XMB Magic Lantern and will be able to access the target user's cookies associated with that web site.

A remote user can also use the BBCode [img] tag to insert javascript into messages. For example, the code '[img]javascript:alert('hop'+document.cookie)[/img]' will be rendered as '<img src="javascript:alert('hop'+document.cookie)" border=0>' and then executed when the target user views the message.

A few other cross-site scripting attack methods are described in the author's original advisory, available (in French language) at:

http://www.ifrance.com/kitetoua/tuto/xmbml-devbb.txt

Impact:   A remote user can view log file information on the server. A remote user may be able to determine the installation path. A remote user can conduct cross-site scripting attacks against other site users (and administrators) to steal their authentication cookies and access their accounts.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.xmbforum.com/ (Links to External Site)
Cause:   Access control error, Configuration error, Exception handling error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  PHP-based

Message History:   None.


 Source Message Contents

Subject:  Security holes : XMB Magic Lantern forum & DevBB




Hi all :)

Product 1 :
***********
XMB Magic Lantern forum 1.6b final
http://www.xmbforum.com
http://www.aventure-media.co.uk

Problems :
- Reading of logs files
- XSS
- Path Disclosure
- Access to users/admins accounts
- Logs distortion

Exploits :
- /index_log.log
- /cplogfile.log
- If index_log not chmod 777 => index_add.php
- index.php?analized=huhu
- member.php?action=viewpro&member=<fo*rm%20name=o><input%
20name=u%20value=XSS></for*m><scri*pt>alert
(document.o.u.value)</scri*pt> (without '*' )
- [img]javascript:alert('hop'+document.cookie)[/img]
- [img]" onerror="alert('hum')" width="0[/img]
- member.php?action=reg&username=%253Cscript%253E&...
- ...

Product 2 :
***********
DevBB 1.0 final
http://www.mybboard.com

Problems :
- DB emptying
- XSS
- Reading of logs files
- Access to users/admins accounts

Exploits :
- /admin/cplogfile.log
- /install.php
- ...

More details :
in french :
http://www.ifrance.com/kitetoua/tuto/xmbml-devbb.txt

translated by google :
http://translate.google.com/translate?
u=http://www.ifrance.com/kitetoua/tuto/xmbml-
devbb.txt&langpair=fr|en&hl=fr&ie=ASCII&oe=ASCII


As usual, sorry for my bad english :) 
frog-m@n

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC