"mboard" file creation issue

2006.12.08
Credit: Mayhemic
Risk: Low
Local: Yes
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 6.4/10
Impact Subscore: 4.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

MHL-2006-004 - Public Advisory +-----------------------------------------------------------+ | mboard Security Issue | +-----------------------------------------------------------+ PUBLISHED ON November 26th, 2006 PUBLISHED AT http://www.mayhemiclabs.com/advisories/MHL-2006-004.txt http://www.mayhemiclabs.com/wiki/wikka.php?wakka=MHL2006004 PUBLISHED BY Mayhemic Labs http://www.mayhemiclabs.com security AT mayhemiclabs DOT com GPG key: 0x56143F84 APPLICATION MBoard - PHP message board http://www.phpjunkyard.com/php-message-board.php "MBoard is a PHP message board script (a simple forum)." AFFECTED VERSIONS Versions 1.22 and below ISSUES MBoard does not check the Post ID for malicious data when replying, allowing an attacker to create blank files on the system wherever the web server has write access. Example: An attacker can reply to a message, and edit the "orig_id" variable to something malicious ("../../../../../../tmp/ZOMGHAX") mboard will then create the specified file (appending the configured extension. WORKAROUNDS Enabling Magic Quotes will negate the issue. SOLUTIONS Upgrade to version 1.3 REFERENCES MBoard - http://www.phpjunkyard.com/php-message-board.php TIMELINE October 11th, 2006 Vendor/Developer Notified Vendor/Developer Response Recieved October 25th, 2006 Vendor/Developer Followup Vendor/Developer Response Recieved November 16th, 2006 Vendor/Developer Followup November 18th, 2006 New Version Released November 26th, 2006 Advisory Released ADDITIONAL CREDIT N/A LICENSE Creative Commons Attribution-ShareAlike License http://creativecommons.org/licenses/by-sa/2.5


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top