|
|
| |
| Normal users can submit threads to password protected forums and possibly hijack the forum-password with some referer logging script. |
| |
Credit:
The information has been provided by ProXy.
|
| |
Vulnerable systems:
* APBoard version 2.02
* APBoard version 2.03
Exploit:
1) Register an account on vulnerability board.
2) Go to any forum and click on "Neues Thema".
3) Open source code of this site and scroll down to the following lines:
<---code--->
<INPUT TYPE="hidden" NAME="sess_id" VALUE="">
<INPUT TYPE="hidden" NAME="postit" VALUE="TRUE">
<INPUT TYPE="hidden" NAME="insertinto" VALUE="1">
<INPUT TYPE="hidden" NAME="BoardID" VALUE="1">
<INPUT CLASS="button" TYPE="submit" NAME="new_topic" VALUE="Thema posten">
<INPUT CLASS="button" TYPE="submit" NAME="preview_topic" VALUE="Vorschau">
<---code--->
4) Edit the "insertinto" value of the forum where you want to submit the new thread. e.g.: <INPUT TYPE="hidden" NAME="insertinto" VALUE="12">
5) Save the file locally.
6) Open file and write your text, then click "Thema posten" and the new thread will be posted to the protected forum.
Another Bug in this Board is that if a user logs into a protected forum the forum-password will be shown on the title-bar in plaintext e.g.: http://www.your-domain.com/apboard/thread.php3?id=999&passwort=1&thepasswordhere
You could create a referer-logging script and link this in the posted thread of the protected forum. If any user clicks on the link the plaintext password would therefore be saved in the logs of the attacker.
|
|
|
