Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
myPHP Forum v3 (possible v1 & 2 also) Identification 'spoof'
From: Terencentanio Enache (terencentanio.enachebtopenworld.com)
Date: Tue Apr 26 2005 - 14:30:02 CDT
~ PHOX: myPHP v3 (Final) 'Sender/Poster Exploit' ~
Exploit discovered by Phox/Terencentanio/Phoxpherus of Root32.
Email: terencentanio.enachebtopenworld.com / terencentanioroot32.com
There are two exploits here.
#1. Posting as someone else.
This will change the poster username to "Admin" (can be edited to whatever username you like) and then it'll confirm success by alerting with the new name.
Then, you type your subject and body and post.
#2. Sending messages as someone else.
This is the same as the post one, but the JS is a bit different.
Load the page to send a PM to a user, then enter into the URL bar:
When you send, it'll appear to them as being from "Admin" or whatever you change it to.
You can really do whatever you want with this.
To solve these, you'll have to open post.php and privmsg.php
In post.php, pay a visit to line 82 and change "$nbuser = $_POST['nbuser'];" into "$nbuser = $_COOKIE['nbuser'];"
In privmsg.php, line 208, change "$sender = $_POST['sender'];" to "$sender = $_POST['sender'];"
There may be some other things that need changing. Due to limits on my time, and the fact that I found this sploit and am writing this while I should be working on a site, I can't go into everything and do proper tests, etc.
Vendor will be notified as soon as possible. Hopefully he'll take notice of this one (he ignored the last one)