Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web BBS :: etc :: hack7579.htm

MercuryBoard 1.1.1 mult vulns
Multiple vulnerabilities in MercuryBoard 1.1.1

* Advisory #7
* Title: Multiple vulnerabilities in MercuryBoard 1.1.1
* Author: Alberto Trivero
* English Version: Alberto Trivero
* Product: MercuryBoard 1.1.1
* Type: Multiple Vulnerabilities
* Web: 

--) Software Page ( 

"MercuryBoard is a powerful message board system dedicated to raw speed with
a mixture of
features, ease of use, and ease of customization coupled with expandability,
and diverse
language services." Note that is write in PHP OOP.

--) Full Path Disclosure

Let's look at original code from global.php line 604:

As we can see there isn't a control to $num and so if we simply assign to
$num the value 0
(or a not numerical argument), there will be an impossible division by zero
that show the
full path: =0

Other Full Path Disclosure:[file] <--- All the PHP file in 
the dyrectory:
                                             active.php board.php
constants.php cp.php
                                             debug.php email.php forum.php
help.php login.php
                                             members.php mod.php pm.php
post.php printer.php
                                             profile.php register.php
search.php topic.php

--) Cross-Site Scripting (XSS)

Let's look at original code from /func/pm.php line 36:

get['s'])) {
      $this->get['s'] = null;
    case 'send':
      return $this->send();
    case 'view':
      return $this->view();
    case 'delete':
      return $this->delete_pm();
    case 'clear':
      return $this->clear();
      return $this->folder();

As we can see there is a switch/case cycle to get 's' but in this cycle
there isn't any
check if we put other parameter with 's', like this XSS code:'>

Let's look again at original code from /func/members.php line 35:

get['l'])) {
      $this->get['l'] = null;
    } else {
      $this->get['l'] = strtoupper($this->get['l']);

As we can see, also in this case, there isn't parsing methods for the
processing of 'l',
so nothing can prevent us from doing an XSS attack:'> pt>alert(document.cookie)

Other Cross-Site Scripting:'>'>'>< script>alert(document.cookie)'>< script>alert(document.cookie) e='>'>

--) SQL Injection

For the same reason because it's possible to execute the XSS codes described
before, it's
also possible to do SQL Injection attacks. But in this case it's a
non-critical bug, why?
Because we need first login as forum administrator to make successful
attack. For example: 20UNION%20SELECT%20user_id,%20user_password%20FROM%20mb_users%20/*

With the URL before we get, for the just described reason, an error like
this (verified
only on MercuryBoard 1.1.0):

    The used SELECT statements have a different number of columns

--) Patch

After the report to developer of the board of these bugs, they released the
version 1.1.2
of MercuryBoard that correct them: 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH