APBoard-BugDec 06 2002 09:03PM DNA ESC (dna http ch)
Product: APBoard-Bug
Versions: tested on 2.02
Vulnerability: users can subscribe a thread in the internal forum
Date: Dezember 5, 2002
Discovered by: DNA <dna (at) es-crew (dot) de [email concealed]>
Introduction:
Normal Users can read new answers to a thread in the internal forum
I have already informed APP about this vulnerability!
Exploit:
1.) register an account on vuln board
2.) while the number of the threads from the intern board were seen in the public board , everybody can see when a new thrad were created
3.) You are able to get the thread-id of the last created thread in the internal form by increasing the last public threadid by one.(you may find it by searching + sort by date)
"useraction.php" does no test whether the subscription is allowed or not, so an unauthorized
person is able to read the replies he was sent, which eleminates the intention of the
internal forums' existance.
-------------------
Sorry but i can't speak english very well
- DNA
- http://www.es-crew.de
_____________________________________________________________
Sign up for FREE email from http.ch - http://www.http.ch
_____________________________________________________________
Select your own custom email address for FREE! Get you (at) yourchoice (dot) com [email concealed] w/No Ads, 6MB, POP & more! http://www.everyone.net/selectmail?campaign=tag
Product: APBoard-Bug
Versions: tested on 2.02
Vulnerability: users can subscribe a thread in the internal forum
Date: Dezember 5, 2002
Discovered by: DNA <dna (at) es-crew (dot) de [email concealed]>
Introduction:
Normal Users can read new answers to a thread in the internal forum
I have already informed APP about this vulnerability!
Exploit:
1.) register an account on vuln board
2.) while the number of the threads from the intern board were seen in the public board , everybody can see when a new thrad were created
3.) You are able to get the thread-id of the last created thread in the internal form by increasing the last public threadid by one.(you may find it by searching + sort by date)
4.) Using the link
www.board.de/useraction.php3?action=subscribe_thread&threadid=
it is possible to subscribe an internal thread whose replies will be sent to you by email automatically.
------------------
for example: (in case of threadid=990)
www.board.de/useraction.php3?action=subscribe_thread&threadid=990
"useraction.php" does no test whether the subscription is allowed or not, so an unauthorized
person is able to read the replies he was sent, which eleminates the intention of the
internal forums' existance.
-------------------
Sorry but i can't speak english very well
- DNA
- http://www.es-crew.de
_____________________________________________________________
Sign up for FREE email from http.ch - http://www.http.ch
yourname (at) http (dot) ch [email concealed] for free ;o) !
_____________________________________________________________
Select your own custom email address for FREE! Get you (at) yourchoice (dot) com [email concealed] w/No Ads, 6MB, POP & more! http://www.everyone.net/selectmail?campaign=tag
[ reply ]