SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   APBoard Vendors:   Mieland, Alexander
APBoard PHP-based Forum Lets Remote Users Post Messages in Protected Forums and Obtain Other User Passwords
SecurityTracker Alert ID:  1005615
SecurityTracker URL:  http://securitytracker.com/id/1005615
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 13 2002
Impact:   Disclosure of authentication information, User access via network
Exploit Included:  Yes  
Version(s): 2.02, 2.03
Description:   A vulnerability was reported in the APBoard PHP-based forum software. A remote user can post messages to protected forums and may be able to obtain a target user's forum password.

It is reported that a remote authenticated user can submit threads to password-protected forums. This can be achieved by setting a hidden HTML form variable "insertinto" with a value of "12" before submitting a new thread by clicking on "Neues Thema".

It is also reported that a user may be able to hijack the forum-password by using a referer field logging script. The forum software display's a user's password in plain text in the title bar (as part of the URL) when the user logs into a password-protected forum. A remote user could create a script that logs the HTTP 'referer' field and place a link to the script in a password-protected forum. If an unsuspecting target user clicks on the link, the target user's password (from the URL) may be disclosed to the remote user's logging script via the referer field.

The vendor has reportedly been notified.

Impact:   A remote authenticated user can post to password-protected forums without having the password. A remote authenticated user may be able to obtain a target user's forum password.
Solution:   No solution was available at the time of this entry.
Vendor URL:  apboard.php-schmiede.de/main.php (Links to External Site)
Cause:   Access control error, Authentication error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  APBoard - post threads to protected forums and possibility to




Product: Another PHP Program - APBoard
Versions: tested on 2.02, 2.03
Vulnerability: post threads to protected forums and possibility to hijack 
forum-password
Date: November 12, 2002
Discovered by: ProXy <proxy@es-crew.de> 

Introduction:
Normal Users can submit threads to password protected forums 
and possibly hijack the forum-password with some referer logging script
I have already informed  APP about this vulnerability!

Exploit:
1, register an account on vuln board

2, go to any forum and klick on "Neues Thema"

3, open sourcecode of this site and scroll down to the following lines:

<---code--->
<INPUT TYPE="hidden" NAME="sess_id" VALUE="">
<INPUT TYPE="hidden" NAME="postit" VALUE="TRUE">
<INPUT TYPE="hidden" NAME="insertinto" VALUE="1">
<INPUT TYPE="hidden" NAME="BoardID" VALUE="1">
<INPUT CLASS="button" TYPE="submit" NAME="new_topic" VALUE="Thema posten">
<INPUT CLASS="button" TYPE="submit" NAME="preview_topic" VALUE="Vorschau">
<---code--->

4, edit the "insertinto" value of the forum where you want to submit the 
new thread.
eg: <INPUT TYPE="hidden" NAME="insertinto" VALUE="12">

5, save file local

6, open file and write your text, then click "Thema posten" and the new 
thread is posted to the protected forum

Another Bug in this Board is that if a user logs into a protected forum
the forum-password will be shown on the title-bar in plaintext
eg: http://www.your-domain.com/apboard/thread.php3?
id=999&passwort=1&thepasswordhere

you could create a referer-logging script and link this in the posted 
thread of the protected  forum. 
if any user clicks on the link the plaintext password would therefore be 
saved in the logs of the attacker

- ProXy
- http://www.es-crew.de

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC