================================================ <------------------------------------------------> <------------#www.bright-shadows.net#------------> <------------------------------------------------> <--------------#theblacksheep&erik#--------------> <------------------------------------------------> ================================================
Advisory Information -------------------- Advisory Name : Several bugs found in "Spyke's PHP Board" Author : Marc Bromm <[EMAIL PROTECTED]> Germany Discover by : Marc Bromm <[EMAIL PROTECTED]> Germany Release Date : 9. June 2003 Application : Spyke's PHP Board (textfile based board) Vendor Homepage : http://www.spyke-online.de Vulnerable Versions: v2.1 (maybe older) Platforms : OS Independent, PHP Severity : High ######Overview: "Spyke's PHP Board" is a small textfile based PHP board. You have to register to write messages. Also an admin area exist. There you can add/delete threads, add/delete topics. The website www.spyke-online.de is the official website where you can get it. ######Exploit: 1. Get userinformation All information of a user like password (plaintext), e-mail, icq number, signatur ... are stored in textfiles in the directory "user/". Every file has the name of the user. So if you register as "theblacksheep" your information are stored in: user/theblacksheep.txt So it is possible for you to open the files with your browser to get the information. 2. Get the admin password and username In the root directory you can find a file called "info.dat". It looks like: <?php $boardname="Spykes PHP Board"; $hintergrund="#C0C0C0"; $linkfarbe="#333333"; $table1="#606060"; $table2="#F0F0F0"; $table3="#A0A0A0"; $text="#000000"; $adminname="adminname"; $adminpw="adminpassword"; $topicdelzahl="15"; $phpendung = ".php"; ?> So only open this file with your browser and get the admin information. Then you can log in as admin. So you have full control. Also some more bugs exist. So it is also possible to: --> Create topic in not existing thread (found by DigitalAcid) --> Change anyone's account without knowing their password (FirebirdGM) ######Fix: It is not possible to fix that holes. (You can do it but then you have to change everything [how the whole information are stored]) ######Vendor Response: For "Spyke PHP Board" no support exist. Greetz to: erik, FirebirdGM, DigitalAcid ================================================== -- [EMAIL PROTECTED] -- http://www.fastmail.fm - Or how I learned to stop worrying and love email again
