APBoard PHP-based Forum Lets Remote Users Post Messages in Protected Forums and Obtain Other User Passwords
SecurityTracker Alert ID: 1005615|
SecurityTracker URL: http://securitytracker.com/id/1005615
(Links to External Site)
Date: Nov 13 2002
Disclosure of authentication information, User access via network|
Exploit Included: Yes |
Version(s): 2.02, 2.03|
A vulnerability was reported in the APBoard PHP-based forum software. A remote user can post messages to protected forums and may be able to obtain a target user's forum password.|
It is reported that a remote authenticated user can submit threads to password-protected forums. This can be achieved by setting a hidden HTML form variable "insertinto" with a value of "12" before submitting a new thread by clicking on "Neues Thema".
It is also reported that a user may be able to hijack the forum-password by using a referer field logging script. The forum software display's a user's password in plain text in the title bar (as part of the URL) when the user logs into a password-protected forum. A remote user could create a script that logs the HTTP 'referer' field and place a link to the script in a password-protected forum. If an unsuspecting target user clicks on the link, the target user's password (from the URL) may be disclosed to the remote user's logging script via the referer field.
The vendor has reportedly been notified.
A remote authenticated user can post to password-protected forums without having the password. A remote authenticated user may be able to obtain a target user's forum password.|
No solution was available at the time of this entry.|
Vendor URL: apboard.php-schmiede.de/main.php (Links to External Site)
Access control error, Authentication error|
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
Source Message Contents
Subject: APBoard - post threads to protected forums and possibility to|
Product: Another PHP Program - APBoard
Versions: tested on 2.02, 2.03
Vulnerability: post threads to protected forums and possibility to hijack
Date: November 12, 2002
Discovered by: ProXy <firstname.lastname@example.org>
Normal Users can submit threads to password protected forums
and possibly hijack the forum-password with some referer logging script
I have already informed APP about this vulnerability!
1, register an account on vuln board
2, go to any forum and klick on "Neues Thema"
3, open sourcecode of this site and scroll down to the following lines:
<INPUT TYPE="hidden" NAME="sess_id" VALUE="">
<INPUT TYPE="hidden" NAME="postit" VALUE="TRUE">
<INPUT TYPE="hidden" NAME="insertinto" VALUE="1">
<INPUT TYPE="hidden" NAME="BoardID" VALUE="1">
<INPUT CLASS="button" TYPE="submit" NAME="new_topic" VALUE="Thema posten">
<INPUT CLASS="button" TYPE="submit" NAME="preview_topic" VALUE="Vorschau">
4, edit the "insertinto" value of the forum where you want to submit the
eg: <INPUT TYPE="hidden" NAME="insertinto" VALUE="12">
5, save file local
6, open file and write your text, then click "Thema posten" and the new
thread is posted to the protected forum
Another Bug in this Board is that if a user logs into a protected forum
the forum-password will be shown on the title-bar in plaintext
you could create a referer-logging script and link this in the posted
thread of the protected forum.
if any user clicks on the link the plaintext password would therefore be
saved in the logs of the attacker