Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:15238
HistoryNov 28, 2006 - 12:00 a.m.

MHL-2006-003 Public Advisory: "mboard" file creation issue

2006-11-2800:00:00
vulners.com
28

MHL-2006-004 - Public Advisory

±----------------------------------------------------------+
| mboard Security Issue |
±----------------------------------------------------------+

PUBLISHED ON
November 26th, 2006

PUBLISHED AT
http://www.mayhemiclabs.com/advisories/MHL-2006-004.txt
http://www.mayhemiclabs.com/wiki/wikka.php?wakka=MHL2006004

PUBLISHED BY
Mayhemic Labs
http://www.mayhemiclabs.com

security AT mayhemiclabs DOT com
GPG key: 0x56143F84

APPLICATION
MBoard - PHP message board
http://www.phpjunkyard.com/php-message-board.php

"MBoard is a PHP message board script (a simple forum)."

AFFECTED VERSIONS
Versions 1.22 and below

ISSUES
MBoard does not check the Post ID for malicious data when replying,
allowing an attacker to create blank files on the system wherever
the web server has write access.

Example: An attacker can reply to a message, and edit the "orig_id"
variable to something malicious ("…/…/…/…/…/…/tmp/ZOMGHAX")
mboard will then create the specified file (appending the
configured extension.

WORKAROUNDS
Enabling Magic Quotes will negate the issue.

SOLUTIONS
Upgrade to version 1.3

REFERENCES
MBoard - http://www.phpjunkyard.com/php-message-board.php

TIMELINE
October 11th, 2006
Vendor/Developer Notified
Vendor/Developer Response Recieved

    October 25th, 2006
            Vendor/Developer Followup
            Vendor/Developer Response Recieved
            
    November 16th, 2006
            Vendor/Developer Followup

    November 18th, 2006
            New Version Released
            
    November 26th, 2006
            Advisory Released

ADDITIONAL CREDIT
N/A

LICENSE
Creative Commons Attribution-ShareAlike License
http://creativecommons.org/licenses/by-sa/2.5