APBoard - post threads to protected forums and possibility to hijack forum-password

2007.11.01
Credit: ProXy
Risk: Medium
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Product: Another PHP Program - APBoard Versions: tested on 2.02, 2.03 Vulnerability: post threads to protected forums and possibility to hijack forum-password Date: November 12, 2002 Discovered by: ProXy <proxy (at) es-crew (dot) de [email concealed]> Introduction: Normal Users can submit threads to password protected forums and possibly hijack the forum-password with some referer logging script I have already informed APP about this vulnerability! Exploit: 1, register an account on vuln board 2, go to any forum and klick on "Neues Thema" 3, open sourcecode of this site and scroll down to the following lines: <---code---> <INPUT TYPE="hidden" NAME="sess_id" VALUE=""> <INPUT TYPE="hidden" NAME="postit" VALUE="TRUE"> <INPUT TYPE="hidden" NAME="insertinto" VALUE="1"> <INPUT TYPE="hidden" NAME="BoardID" VALUE="1"> <INPUT CLASS="button" TYPE="submit" NAME="new_topic" VALUE="Thema posten"> <INPUT CLASS="button" TYPE="submit" NAME="preview_topic" VALUE="Vorschau"> <---code---> 4, edit the "insertinto" value of the forum where you want to submit the new thread. eg: <INPUT TYPE="hidden" NAME="insertinto" VALUE="12"> 5, save file local 6, open file and write your text, then click "Thema posten" and the new thread is posted to the protected forum Another Bug in this Board is that if a user logs into a protected forum the forum-password will be shown on the title-bar in plaintext eg: http://www.your-domain.com/apboard/thread.php3? id=999&passwort=1&thepasswordhere you could create a referer-logging script and link this in the posted thread of the protected forum. if any user clicks on the link the plaintext password would therefore be saved in the logs of the attacker - ProXy - http://www.es-crew.de


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top