Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
March 28, 2024
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 491
Members: 0
Total: 491
PacketStorm News
·301 Moved Permanently

read more...
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpBB -> phpBB 2.0.17 and most likely below Goto page Previous  1, 2, 3, 4, 5  Next
Post new topic  Reply to topic View previous topic :: View next topic 
PostPosted: Sun Aug 21, 2005 6:48 am Reply with quote
lunix
Regular user
Regular user
 
Joined: Aug 17, 2005
Posts: 16




Vipsta wrote:
What about using the same vulnerability to make a user an administrator? Or atleast something more interesting then "Logout".

I don't think you understand what the script is doing.
View user's profile Send private message Visit poster's website
PostPosted: Sun Aug 21, 2005 10:11 am Reply with quote
y3dips
Valuable expert
Valuable expert
 
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




Vipsta wrote:
What about using the same vulnerability to make a user an administrator? Or atleast something more interesting then "Logout".


i think it would be good if u read all the thread from the first Smile
so you wont get this thread back to "zero" again Laughing

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Sun Aug 21, 2005 10:25 am Reply with quote
y3dips
Valuable expert
Valuable expert
 
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




subzero wrote:
mm accesing script to add user as admin in /admin/ folder would ask admin to re-authenticate him/herself

hard to access /admin/ folder now.
but you can delete specific posting then,
whenever an admin view the thread.

hehe maybe someone out there know how to bypass it .


yupe, i agree with u, all possible to do is something "limited" that admin can do without re-authenticate ( as we know Now to access admin folder still need to re-authenticate Smile )

how about in other forum or bulettin board *_^ .. we should give a try Razz

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Sun Aug 21, 2005 11:21 am Reply with quote
lunix
Regular user
Regular user
 
Joined: Aug 17, 2005
Posts: 16




The only way to get root on phpbb now is to get the admin hash and crack it. All the fun stopped when phpbb realised EVERY admin cookie was the same. Laughing
View user's profile Send private message Visit poster's website
PostPosted: Sun Aug 21, 2005 12:18 pm Reply with quote
oxygenne
Advanced user
Advanced user
 
Joined: Apr 13, 2005
Posts: 52




What about saving some page of a forum offline copy the source of the code(modify it to log the stuff then redirect) and put it in a index.php file
View user's profile Send private message
PostPosted: Sun Aug 21, 2005 3:04 pm Reply with quote
subzero
Valuable expert
Valuable expert
 
Joined: Mar 16, 2005
Posts: 42




y3dips wrote:

how about in other forum or bulettin board *_^ .. we should give a try Razz


nice idea.there are lots of others cms (content manager ) that use bbcode in their post .
you can try popular and widely use cms from

http://hotscripts.com/PHP/Scripts_and_Programs/Content_Management/index.html

who might know.. new vulnerability found . ;p
View user's profile Send private message Visit poster's website
PostPosted: Sun Aug 21, 2005 3:31 pm Reply with quote
y3dips
Valuable expert
Valuable expert
 
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




subzero wrote:

nice idea.there are lots of others cms (content manager ) that use bbcode in their post .
you can try popular and widely use cms from

http://hotscripts.com/PHP/Scripts_and_Programs/Content_Management/index.html

who might know.. new vulnerability found . ;p


well my friends , ive found that vbulletin (3.0.7 also prior version) and PUNBB (1,26 alsso prior version) are vulnerable with this kind of threat too Smile , ive already post to the vendor (with detail exploitation) also to bugtraq (with no exploitation details Razz)

interesting huh, just imaging how "mess" this could be

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Sun Aug 21, 2005 3:57 pm Reply with quote
subzero
Valuable expert
Valuable expert
 
Joined: Mar 16, 2005
Posts: 42




Laughing so we have 3-4 vulnerable now and not forgetting from the bug finder himself. Wink

so this vulnerable affect most of the cms out there.
you will able to do more such as adding admin user then ,get database if the script dont need you to re-autheticate as admin.

y3dips, yakin boleh. Wink hehehe
View user's profile Send private message Visit poster's website
PostPosted: Mon Aug 22, 2005 4:27 am Reply with quote
y3dips
Valuable expert
Valuable expert
 
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




subzero wrote:
Laughing so we have 3-4 vulnerable now and not forgetting from the bug finder himself. Wink

so this vulnerable affect most of the cms out there.
you will able to do more such as adding admin user then ,get database if the script dont need you to re-autheticate as admin.

y3dips, yakin boleh. Wink hehehe


yupe, if im not wrong it affect in all web applicatian that using BBCode without doing any modification or parsing to check user input , but the level are various , like what easyex found in phpbb and php-fusion also what i found in vbulletin (need re-authicate) and punBB (no need) Smile , and many ..

but i think is not honest to feed the kiddies with fresh exploit Wink

:soal boleh or tidak sih , moral aja sech Razz

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Mon Aug 22, 2005 5:25 am Reply with quote
Easyex
Regular user
Regular user
 
Joined: Aug 19, 2005
Posts: 6




y3dips wrote:
subzero wrote:

nice idea.there are lots of others cms (content manager ) that use bbcode in their post .
you can try popular and widely use cms from

http://hotscripts.com/PHP/Scripts_and_Programs/Content_Management/index.html

who might know.. new vulnerability found . ;p


well my friends , ive found that vbulletin (3.0.7 also prior version) and PUNBB (1,26 alsso prior version) are vulnerable with this kind of threat too Smile , ive already post to the vendor (with detail exploitation) also to bugtraq (with no exploitation details Razz)

interesting huh, just imaging how "mess" this could be


Err..

Bad luck, I found the vulnerability many weeks ago Confused

PHP-Fusion, PhpBB, vBulletin, Invision Power Board, SMF and more..

I have reported it to all the vendors above already.

Basically anything that allows BBcode [img][/img] tags is most likely vulnerable.

Enjoy.
View user's profile Send private message
PostPosted: Mon Aug 22, 2005 8:06 am Reply with quote
lunix
Regular user
Regular user
 
Joined: Aug 17, 2005
Posts: 16




It would work in anything that allows people to post images.
The flaw isnt in bbcode, its in browsers.

I dont think they will even bother to patch this.
Parsering EVERY image everytime the page is loaded would lag.
An obvious solution would be to not allow linking to remote images. Everytime someone wanted to post an image they would have to upload it either from thier computer or a remote lacation so the forum can download it, then it would only need to be parsered once.

Either way, it would take a lot of work to patch something that isnt critical.
I dont think they will bother.
View user's profile Send private message Visit poster's website
PostPosted: Mon Aug 22, 2005 9:08 am Reply with quote
Easyex
Regular user
Regular user
 
Joined: Aug 19, 2005
Posts: 6




Yeah exactly right it would lag...

The best thing for them to do is require confirmination for functions so that it cant be executed, that's what phpbb is doing i believe but it's not that bad since you cant to administrator functions.

On PHP-Fusion on the other hand you can perform administrator functions so some people will have a fair bit to fix up, There current patch checks the height and width to check if its an image but there is a way to get passed that.

All the others i have not gone over but some you should be able to do some administrator functions on different cms/forums.

In SMF you can lock topics, I didn't look at it much that was the only thing i tested but I'm guessing there are other things you can do.

Regards,

Easyex.
View user's profile Send private message
PostPosted: Mon Aug 22, 2005 9:11 am Reply with quote
shai-tan
Valuable expert
Valuable expert
 
Joined: Feb 22, 2005
Posts: 477




Finnaly something positive Wink
I dont really see this as much of a threat because I never allow avatar off site linking anyway. A lot of sites I have been on do the same. But the likes of Role Playing web sites will be effected.

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Mon Aug 22, 2005 9:17 am Reply with quote
Easyex
Regular user
Regular user
 
Joined: Aug 19, 2005
Posts: 6




It is a threat to other forums/cms

It just depends on how well it's coded and it's authentication.

On PHP-Fusion you can delete members, delete shout box posts, ban users, delete admins and other things.

SMF you can lock topics and probally do some other stuff

And im sure there are a few other systems out there where you can do administator functions.

Anyways.. have fun.
View user's profile Send private message
PostPosted: Mon Aug 22, 2005 10:12 am Reply with quote
kizkur
Regular user
Regular user
 
Joined: Dec 04, 2004
Posts: 11




i have proven in my server login.php?logout=true"); and work good

as I can erase a post or a user? one example please

sorry by my english

thx
View user's profile Send private message
phpBB 2.0.17 and most likely below
  www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 3 of 5  
Goto page Previous  1, 2, 3, 4, 5  Next
  
  
 Post new topic  Reply to topic  




Powered by phpBB © 2001-2008 phpBB Group






Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2020 Janek Vind "waraxe"
Page Generation: 0.186 Seconds