MHL-2006-003 Public Advisory: "mboard" file creation issue
MHL-2006-004 - Public Advisory
+-----------------------------------------------------------+
| mboard Security Issue |
+-----------------------------------------------------------+
PUBLISHED ON
November 26th, 2006
PUBLISHED AT
http://www.mayhemiclabs.com/advisories/MHL-2006-004.txt
http://www.mayhemiclabs.com/wiki/wikka.php?wakka=MHL2006004
PUBLISHED BY
Mayhemic Labs
http://www.mayhemiclabs.com
security AT mayhemiclabs DOT com
GPG key: 0x56143F84
APPLICATION
MBoard - PHP message board
http://www.phpjunkyard.com/php-message-board.php
"MBoard is a PHP message board script (a simple forum)."
AFFECTED VERSIONS
Versions 1.22 and below
ISSUES
MBoard does not check the Post ID for malicious data when replying,
allowing an attacker to create blank files on the system wherever
the web server has write access.
Example: An attacker can reply to a message, and edit the "orig_id"
variable to something malicious ("../../../../../../tmp/ZOMGHAX")
mboard will then create the specified file (appending the
configured extension.
WORKAROUNDS
Enabling Magic Quotes will negate the issue.
SOLUTIONS
Upgrade to version 1.3
REFERENCES
MBoard - http://www.phpjunkyard.com/php-message-board.php
TIMELINE
October 11th, 2006
Vendor/Developer Notified
Vendor/Developer Response Recieved
October 25th, 2006
Vendor/Developer Followup
Vendor/Developer Response Recieved
November 16th, 2006
Vendor/Developer Followup
November 18th, 2006
New Version Released
November 26th, 2006
Advisory Released
ADDITIONAL CREDIT
N/A
LICENSE
Creative Commons Attribution-ShareAlike License
http://creativecommons.org/licenses/by-sa/2.5