Re: Information Disclosure with Invision Board installation (fwd)

[Gossi The Dog <gossi () lab6 com>]

Well, the developers have responded;

http://forums.invisionboard.com/index.php?act=ST&f=30&t=23569

> From Matt, "IBF Project Leader"

--------------------- snip -----------------------------

"Whilst disclosing phpinfo.php to the world does expose installed modules, 
paths and such - it's hardly the biggest security risk.

Any PHP script that fails tells the viewer the full path to the script, as 
does perl/CGI, etc.

The information that phpinfo.php provides about the server can be got by a 
simple desktop application as the information is quite freely distributed 
(the basic idea of web protocols).

FYI, we only set the SSL server up to test a few ideas, we use a merchant 
account to process our credit card orders - they are not processed on our 
server.

Edit:

I've set up security () invisionboard com, so I will actually get the email 
this time rather than it be eaten up in our system.

I guess if this is the only "security" breach they can find with Invision 
Board, we're doing well  "

"I didn't receive any email, this is the first I've heard about it - my 
email address is readily available and my signature says that I'm the lead 
developer and should be the first point of contact in this case.

To make it easier, I've set up security () invisionboard com - all of our 
unrouted mail is pretty much forwarded to dev/null because of the 
different systems we have tied into our mail system (and to reduce the 
amazing level of spam we get).

Yes, phpinfo.php discloses the server environment - but not a great deal 
more than one could find out by other means.

My point being, there is no need for a full scale panic over this. The 
phpinfo.php file has been distributed with Invision Board since day 1 and 
I've not heard of anyone having their server hacked over it.

I'll probably remove it in future releases to appease the over paranoid. 
"

--------------------- snip -----------------------------

Quite honestly, this is a bit worrying.  "Matt" seems to think that people 
can remotely obtain this kind of information due to the "the basic web 
protocols" without phpinfo.  This is complete rubbish.  Disclosing 
application paths on servers, PHP setup... etc is very much not possible 
via "basic web protocols".

If people are clued up enough to understand why this is a problem, I would 
suggest they mail their concerns to security () invisionboard com.

Regards,
Gossi.


On Tue, 24 Sep 2002, Gossi The Dog wrote:

> Since the vendors didn't bother to respond, I might as well forward this 
> on.
>
> Basic jizt - Invision Board (all version) - installation guide copies 
> across phpinfo.php, a file which calls phpinfo().
>
> Example;
> http://blahblahblah.corp.com/phpinfo.php
>
> (just do a search on Google for "Invision Board" and append phpinfo.php to 
> the URL).
>
> Why is this bad?  Well, duh.  It gives you system varibles, path names, 
> modules of apache, PHP setup, Apache module version numbers etc etc.
>
> Note to vendors: please reply to security mail in the future.
>
> #phrack whore
>
> ---------- Forwarded message ----------
> Date: Mon, 23 Sep 2002 20:31:41 +0100 (BST)
> From: Gossi The Dog <gossi () lab6 com>
> To: security () invisionboard com
> Cc: support () invisionboard com, gossi () lab6 com
> Subject: Information Disclosure with Invision Board installation
>
>
> Hi,
>
> Okay, how to explain this one...
>
> The installation procedure for Invision Board advises to upload various 
> files and directorys.  One of these is 'phpinfo.php'.
>
> Now, I'm sorry, but this is dumb.
>
> Why?
>
> Example.
>
> http://forums.invisionboard.com/phpinfo.php
>
> I can now tell you don't have PHP Safe mode installed, exactly what Apache 
> modules you have loaded, your full Apache SERVER_SOFTWARE (Apache/1.3.26 
> (Unix) mod_bwlimited/1.0 PHP/4.2.1 mod_log_bytes/0.3 FrontPage/5.0.2.2510 
> mod_ssl/2.8.9 OpenSSL/0.9.6b)...
>
> etc.
>
>
> PHP modules, settings, system variables...  They're all out there.  Also, 
> note, your OpenSSL version is out of date and fully remotely exploitable 
> (I managed to obtain that from phpinfo.php - you had it hidden before, but 
> phpinfo.php discloses this information).
>
> Do you agree this is a problem?
>
> You need to modify the installation guide to say this file should *only* 
> be uploaded for diagnoises and debugging reasons, and possible move it to 
> a different folder (eg debug) to stop people uploading it by accident.  
> People also need to be reminded to *remove* the file if they upload it for 
> debugging purposes after they finish.
>
> You also need to notify existing users of the software about the file.
>
> I did a quick Google search for "Invision Board", and every single one of 
> the boards I tried (About 50) had the file.  Oops.
>
> I'm planning to do some kind of bugtraq announcement after I've got a plan 
> of action from yourselves (and I've given you a decent grace period), 
> basically to make sure as many people as possible remove the file.
>
>
> Thanks muchly,
>
> Gossi The Dog.