MHL-2006-003 Public Advisory: "mboard" file creation issue

2006-11-28T00:00:00
ID SECURITYVULNS:DOC:15238
Type securityvulns
Reporter Securityvulns
Modified 2006-11-28T00:00:00

Description

MHL-2006-004 - Public Advisory

+-----------------------------------------------------------+ | mboard Security Issue | +-----------------------------------------------------------+

PUBLISHED ON November 26th, 2006

PUBLISHED AT http://www.mayhemiclabs.com/advisories/MHL-2006-004.txt http://www.mayhemiclabs.com/wiki/wikka.php?wakka=MHL2006004

PUBLISHED BY Mayhemic Labs http://www.mayhemiclabs.com

security AT mayhemiclabs DOT com GPG key: 0x56143F84

APPLICATION MBoard - PHP message board http://www.phpjunkyard.com/php-message-board.php

"MBoard is a PHP message board script (a simple forum)."

AFFECTED VERSIONS Versions 1.22 and below

ISSUES MBoard does not check the Post ID for malicious data when replying, allowing an attacker to create blank files on the system wherever the web server has write access.

Example: An attacker can reply to a message, and edit the "orig_id" variable to something malicious ("../../../../../../tmp/ZOMGHAX") mboard will then create the specified file (appending the configured extension.

WORKAROUNDS Enabling Magic Quotes will negate the issue.

SOLUTIONS Upgrade to version 1.3

REFERENCES MBoard - http://www.phpjunkyard.com/php-message-board.php

TIMELINE October 11th, 2006 Vendor/Developer Notified Vendor/Developer Response Recieved

    October 25th, 2006
            Vendor/Developer Followup
            Vendor/Developer Response Recieved

    November 16th, 2006
            Vendor/Developer Followup

    November 18th, 2006
            New Version Released

    November 26th, 2006
            Advisory Released

ADDITIONAL CREDIT N/A

LICENSE Creative Commons Attribution-ShareAlike License http://creativecommons.org/licenses/by-sa/2.5