aterr-exploits.txt - advisories - Security advisories that I have released to the public.
(HTM) git clone git://jay.scot/advisories
(DIR) Log
(DIR) Files
(DIR) Refs
(DIR) README
---
aterr-exploits.txt (2114B)
---
1 Aterr Forums Multiple Vulnerabilities
2
3
4
5 SUMMARY
6 --------
7
8 Aterr is a threaded forum system allowing registered visitors to express
9 their opinions, discuss topics, and debate with other visitors. A threaded
10 forum system differs from regular, flat forum systems in that once posted,
11 a thread can fork, allowing visitors to reply directly to other posts. aterr
12 also provides a customisable permissions system, the ability to nest forums,
13 and moderation tools.
14
15
16
17 IMPACT
18 -------
19
20 Can lead to Disclosure of system information, Disclosure of user information
21 and Modification of forum setup.
22
23
24
25 VERSIONS
26 ---------
27
28 Vulnerable systems:
29 * Aterr versions prior to 0.4
30
31 Immune systems:
32 * Aterr version 0.5
33
34
35
36 DESCRIPTION #1 - Modification of Forum Setup
37 --------------
38
39 The file forums.php fails to check that an administrator has the correct
40 privileges to log into the admin panel and edit the forum setup such as
41 changing the logo, title etc.
42
43
44 Proof of Concept:
45
46 www.yoursite.com/forums/forums.php?op=admin&sub=config
47
48 Fix:
49
50 Add the following too forums.php starting at line 1393 :
51
52 1393 : if (!permission::has_flag('forums', F_FORUM_EDIT))
53 1394 : {
54 1395 : redirect('http://' . $config['domain_name'] . $config['install_path'] . forums::furl('admin'));
55 1396 : }
56
57
58
59 DESCRIPTION #2 - Disclosure of User Information
60 --------------
61
62 Not filtering HTML of the Topic header allows XSS exploits to be added to
63 any forum post.
64
65
66 Proof of Concept:
67
68 Enter the following as a topic header:
69 <script>alert(document.cookie); </script>
70
71 FIX:
72
73 None given, upgrade to new version.
74
75
76
77 DESCRIPTION #3 - Disclosure of System Information
78 --------------
79
80 No check is made to see if a vaild profile has been selected. When a invaild
81 profile has been requested the forum discloses full path information to the
82 user.
83
84
85 Proof of Concept:
86
87 www.yoursite.com/forums/accounts.php?op=viewprofile&u=
88
89 FIX:
90
91 None given, upgrade to new version.
92
93
94 ADDITIONAL INFORMATION
95 -----------------------
96
97 Vendor URL - http://chimaera.starglade.org
98 Underlying OS - Linux (Any), UNIX (Any), Windows (Any)
99 Credit - Jay Scott
100 Message History - None
101