MHL-2006-004 - Public Advisory

+-----------------------------------------------------------+
| mboard Security Issue |
+-----------------------------------------------------------+

PUBLISHED ON
November 26th, 2006

PUBLISHED AT
http://www.mayhemiclabs.com/advisories/MHL-2006-004.txt
http://www.mayhemiclabs.com/wiki/wikka.php?wakka=MHL2006004

PUBLISHED BY
Mayhemic Labs
http://www.mayhemiclabs.com

security AT mayhemiclabs DOT com
GPG key: 0x56143F84

APPLICATION
MBoard - PHP message board
http://www.phpjunkyard.com/php-message-board.php

"MBoard is a PHP message board script (a simple forum)."

AFFECTED VERSIONS
Versions 1.22 and below

ISSUES
MBoard does not check the Post ID for malicious data when replying,
allowing an attacker to create blank files on the system wherever
the web server has write access.

Example: An attacker can reply to a message, and edit the "orig_id"
variable to something malicious ("../../../../../../tmp/ZOMGHAX")
mboard will then create the specified file (appending the
configured extension.

WORKAROUNDS
Enabling Magic Quotes will negate the issue.

SOLUTIONS
Upgrade to version 1.3

REFERENCES
MBoard - http://www.phpjunkyard.com/php-message-board.php

TIMELINE
October 11th, 2006
Vendor/Developer Notified
Vendor/Developer Response Recieved

October 25th, 2006
Vendor/Developer Followup
Vendor/Developer Response Recieved

November 16th, 2006
Vendor/Developer Followup

November 18th, 2006
New Version Released

November 26th, 2006
Advisory Released

ADDITIONAL CREDIT
N/A

LICENSE
Creative Commons Attribution-ShareAlike License
http://creativecommons.org/licenses/by-sa/2.5

[ reply ]