 |
aterr-exploits.txt - advisories - Security advisories that I have released to t… |
 |
git clone git://jay.scot/advisories |
 |
Log |
|
Files |
|
Refs |
|
README |
|
--- |
|
aterr-exploits.txt (2114B) |
|
--- |
|
1 Aterr Forums Multiple Vulnerabilities |
|
2 |
|
3 |
|
4 |
|
5 SUMMARY |
|
6 -------- |
|
7 |
|
8 Aterr is a threaded forum system allowing registered visitors to express |
|
9 their opinions, discuss topics, and debate with other visitors. A thread… |
|
10 forum system differs from regular, flat forum systems in that once poste… |
|
11 a thread can fork, allowing visitors to reply directly to other posts. a… |
|
12 also provides a customisable permissions system, the ability to nest for… |
|
13 and moderation tools. |
|
14 |
|
15 |
|
16 |
|
17 IMPACT |
|
18 ------- |
|
19 |
|
20 Can lead to Disclosure of system information, Disclosure of user informa… |
|
21 and Modification of forum setup. |
|
22 |
|
23 |
|
24 |
|
25 VERSIONS |
|
26 --------- |
|
27 |
|
28 Vulnerable systems: |
|
29 * Aterr versions prior to 0.4 |
|
30 |
|
31 Immune systems: |
|
32 * Aterr version 0.5 |
|
33 |
|
34 |
|
35 |
|
36 DESCRIPTION #1 - Modification of Forum Setup |
|
37 -------------- |
|
38 |
|
39 The file forums.php fails to check that an administrator has the correct |
|
40 privileges to log into the admin panel and edit the forum setup such as |
|
41 changing the logo, title etc. |
|
42 |
|
43 |
|
44 Proof of Concept: |
|
45 |
|
46 www.yoursite.com/forums/forums.php?op=admin&sub=config |
|
47 |
|
48 Fix: |
|
49 |
|
50 Add the following too forums.php starting at line 1393 : |
|
51 |
|
52 1393 : if (!permission::has_flag('forums', F_FORU… |
|
53 1394 : { |
|
54 1395 : redirect('http://' . $config['domain_name… |
|
55 1396 : } |
|
56 |
|
57 |
|
58 |
|
59 DESCRIPTION #2 - Disclosure of User Information |
|
60 -------------- |
|
61 |
|
62 Not filtering HTML of the Topic header allows XSS exploits to be added to |
|
63 any forum post. |
|
64 |
|
65 |
|
66 Proof of Concept: |
|
67 |
|
68 Enter the following as a topic header: |
|
69 <script>alert(document.cookie); </script> |
|
70 |
|
71 FIX: |
|
72 |
|
73 None given, upgrade to new version. |
|
74 |
|
75 |
|
76 |
|
77 DESCRIPTION #3 - Disclosure of System Information |
|
78 -------------- |
|
79 |
|
80 No check is made to see if a vaild profile has been selected. When a inv… |
|
81 profile has been requested the forum discloses full path information to … |
|
82 user. |
|
83 |
|
84 |
|
85 Proof of Concept: |
|
86 |
|
87 www.yoursite.com/forums/accounts.php?op=viewprofile&u= |
|
88 |
|
89 FIX: |
|
90 |
|
91 None given, upgrade to new version. |
|
92 |
|
93 |
|
94 ADDITIONAL INFORMATION |
|
95 ----------------------- |
|
96 |
|
97 Vendor URL - http://chimaera.starglade.org |
|
98 Underlying OS - Linux (Any), UNIX (Any), Windows (Any) |
|
99 Credit - Jay Scott |
|
100 Message History - None |
|
101 |
