myPHP Forum v1, 2 & 3
~ PHOX: myPHP Forum v1, 2 & 3 Exploits ~
###
# Content
###
- Credits
- SMFDBPWNOCS
- Solution
- Contact
###
# Credits
###
Exploit discovered by Phoxpherus (Phorce), Phox (R&P), Terencentanio (Root32)
###
# SMFDBPWNOCS - Stupid Mofo Database Spamming When No One Can See
###
In short, forum.php and topic.php have no validation checks. They are wide open
to do whatever you want.
Let's use myphp.ws forums for example. You go to their forums, click a forum
category. In the URL bar, you'll see "fid=n", where n is the topic number. Now,
we can change this to whatever we want. Let's say, "fid=999999999". Nothing
will be displayed, but we can still click the "new topic" link. By doing so, we
can enter a message into forum "999999999" ... but that forum doesn't even
exist.
The same stands for topic.php. If you click a topic, you'll see "tid=n". We can
again change this to anything we want, say "999999999", and post replies.
This allows for spamming of a database, and no one can see it. Not tried, but
you may even be able to start your own forums up.
###
# Solution
###
The solution I have used is:
[PHP]
$jym = $_GET['fid'];
$lralg = "SELECT * FROM $db_forum WHERE fid = '$val'";
$res = mysql_query($lralg);
$hu = mysql_numrows($res);
$i=0;
while ($i < $hu) {
$hysa = mysql_result($res,$i,"name");
$i++;
}
if($hu == "0")
{
header("Location: index.php");
}
[/PHP]
.. in forum.php. You can add a variant to topic.php to patch the other hole.
###
# Contact
###
Email: terencentanio.enache@xxxxxxxxxxxxxxx
MSN: al_bhed_brother@xxxxxxxxxxxxx