Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: etc :: hack2560.htm

OpenBB mult vulns



Multiple Vulnerabilities In OpenBB



Vendor  : OpenBB Group

URL     : http://www.openbb.com 

Version : Open Bulletin Board 1.0.6 && Earlier

Risk    : Multiple Vulnerabilities







Description:

OpenBB is a fast, lightweight, powerful bulletin board written 

in PHP/MySQL. Main features include: full customization via styles 

templates, instant messaging, private messaging, categories, member 

ranks, poll based threads, moderation, BB codes, thread notifications, 

Avatars, member lists, private forums and more.  







Cross Site Scripting:

OpenBB is prone to Cross Site Scripting in multiple files. This may 

allow an attacker to run code in the context of a users browser, or 

used to harvest sensitive information from a user such as cookie 

information. Below are some examples of the XSS issues in OpenBB.



/member.php?action=login&redirect=[XSS]

/myhome.php?action=newmsg&to=blah[XSS]

/post.php?action=mail&TID=1[XSS]

/index.php?redirect=[XSS]







SQL Injection:

It may be possible for an attacker to execute arbitrary SQL queries 

due to user supplied input not being properly sanitized. Lets have

a look at some code from one of the affected files ... post.php



// Check to make sure they are not posting to a category

$query_type = new query($SQL, "SELECT type FROM ".$prefix."forum_display 

WHERE forumid = $FID");

$query_type->getrow();

$ftype = $query_type->field('type');



As we can see from this code, the $FID variable seems to get passed

directly to the query without being validated, thus allowing for 

an attacker to execute malicious queries. This is not the only 

vulnerable file though. Below are a list of similarly vulnerable 

files.



/board.php?FID=1[SQL]

/member.php?action=list&page=1&sortorder=[SQL]

/member.php?action=list&page=1&sortorder=username&perpage=[SQL]

/member.php?action=passwdsend&resetid=blah&id=2[SQL]

/search.php?&sortby=dateline&sort=DESC&q=open&forums%5B[SQL]%5D

/post.php?action=edit&page=1&PID=1[SQL]

/post.php?action=post&FID=1[SQL]



These files are prone to similar attacks because they allow input 

that has not been validated to be executed in the query. This can

be used for example to pull users password hashes.







Arbitrary Command Execution:

This is really in my opinion at least, a very fundamental flaw. As 

stated in the HTTP/1.1 RFC (RFC 2616 Section 9.1.1 "Safe Methods") 

no GET request should be used to make any significant actions. This 

however would not be such a big deal if there was some sort of auth 

key or session id in place to verify the validity of actions, but 

there isn't. In short all an attacker has to do is send an admin a 

pm, or make a malicious post with the desired command and the action 

will silently execute. For example below are some example administrative 

actions thatan attacker could include in an image tag or malicious link.



/cp_forums.php?do=remove&id=1

/cp_usergroup.php?do=remove&UGID=1

/cp_ipbans.php?action=do_delip&ipid=1



This kind of attack can also be used to run user and moderator 

commands as seen below. These are only examples, not all the 

possibilities.



/myhome.php?action=delmsg&box=inbox&id=all

/post.php?action=edit&PID=1&send=1&delete=yes

/moderator.php?action=announce&TID=1



OpenBB actually tries to  prevent these kind of attacks by filtering

out certain input as seen in /lib/codeparse.php but this does not 

work. Lets have a look at the code.



case 'img':

if(!preg_match('#^(http|https)://(.*?)\.(gif|jpg|jpeg|png)$#', $inside) )

$return = '[ invalid image ]';

else

$return = 'User-Posted 

Image (tm)';

break;



All an attacker has to do in order to have the command executed 

successfully is make sure the url within the image tag ends with 

an allowed extension. This is not very safe at all because we can 

make up a variable, add a good extension and the code is still ran. 

For example



/post.php?action=edit&PID=1&send=1&delete=yes&image=blah.jpg



As we can see from the above examples, this issue can be used by a 

malicious person to all but completely sabotage a site running 

OpenBB. In the past I have seen phpBB for example deal with the same 

issue of using unsafe GET requests by limiting the bbcode to only 

allow images with a valid extension. However this is a bad idea 

because it does not solve the problem at all, and to this day all 

phpBB versions are vulnerable to having arbitrary posts deleted and 

more just by visiting a malicious web page or link. It is a serious 

issue and should be treated as such. It greatly impacts the security 

of a web application. Even using the POST method without an auth key 

or the like is a bad idea 

in my opinion.





Other Issues:

These other issues I am about to describe have been discovered by a 

guy named Manuel Lopez mantra@gulo.org and asked me to include them 

in this OpenBB write up.



/* Snip */



Hi JeiAr, I am Manuel. 



I have just read your post in OpenBB.

At March 24 2004 I alert Stu about some vulnerabilities that I have found on 

March 20 2004, Stu 



tell me .. "A verson 1.0.7 will be released ASAP".

I was having in mind publishing an advisory as soon as Stu released the new 

version. 



/* Snip */



The issues are in the avatar feature and pm feature. From what I 

understand a user can read arbitrary PM's just by specifying the 

message id. For example the url might look something like this.



http://forum/myhome.php?action=readmsg&id=INT&box=inbox 



Where "INT" is there would be an integer specifying the message ID. 

The other issue discovered by Manuel is the fact that you can upload 

any file as an avatar. While this does not allow for php, or server 

side code execution, it does allow for client side code (such as JS, 

VBS, etc) to be executed. The uploaded code will then be available at 

the following url once uploaded.



http://forum/avatars/[usernamehere]avatar_type 



Once again, just want to specify the last two vulnerabilities were 

discovered by Manuel Lopez and not myself, he just asked if I would 

include them :)







Solution:

 Vendors were contacted many weeks ago and plan to release a fixed 

 version soon. Check the OpenBB website for updates and official 

 release details. 

 Original advisory can be found @ http://www.gulftech.org/04242004.php 







Credits:

Credits go to JeiAr of the GulfTech Security Research Team. 

http://www.gulftech.org 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH