From: Alexander Heidenreich (alexsystemli.org)
Date: Thu Aug 11 2005 - 15:32:34 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

We have found a security problem in the tree view of FUD Forum
Bulletin Board Software (http://www.fudforum.org) in version 2.6.15,
earlier versions maybe affected as well.

Description:

If a user enables tree view of messages he is able to view any
message on the system, no matter he has the necessary rights or not.
All he has to do is to change the &mid= in the url of a forum he has
the right to access to the id of the message he wants to read. With a
little perl script an attacker can download any message of a board.

Solution:

The problem cannot be exploited if the administrator has deactivated
the tree view or install the following patch:

> --- tree.php.t 2005/07/27 23:39:08 1.82
> +++ tree.php.t 2005/08/08 13:36:52 1.83
> -2,7 +2,7
> /**
> * copyright : (C) 2001-2004 Advanced Internet Designs Inc.
> * email : forumprohost.org
> -* $Id: tree.php.t,v 1.82 2005/07/27 23:39:08 hackie Exp $
> +* $Id: tree.php.t,v 1.83 2005/08/08 13:36:52 hackie Exp $
> *
> * This program is free software; you can redistribute it and/or
> modify it
> * under the terms of the GNU General Public License as published
> by the
> -139,7 +139,7
> LEFT JOIN {SQL_TABLE_PREFIX}poll p ON m.poll_id=p.id'.
> (_uid ? ' LEFT JOIN {SQL_TABLE_PREFIX}poll_opt_track pot ON
> pot.poll_id=p.id AND pot.user_id='._uid : ' ').'
> WHERE
> - m.id='.$mid.' AND m.apr=1');
> + m.id='.$mid.' AND m.apr=1 AND m.thread_id='.$th);
>
> if (!$msg_obj) { // invalid message id
> invl_inp_err();

Greatings,
Alexander Heidenreich

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]