Full Disclosure mailing list archives
Fudforum: incompletely check of user rights in tree view gaining access to all messages
From: Alexander Heidenreich <alex () systemli org>
Date: Thu, 11 Aug 2005 22:32:34 +0200
Hello,We have found a security problem in the tree view of FUD Forum Bulletin Board Software (http://www.fudforum.org) in version 2.6.15, earlier versions maybe affected as well.
Description:If a user enables tree view of messages he is able to view any message on the system, no matter he has the necessary rights or not. All he has to do is to change the &mid= in the url of a forum he has the right to access to the id of the message he wants to read. With a little perl script an attacker can download any message of a board.
Solution:The problem cannot be exploited if the administrator has deactivated the tree view or install the following patch:
--- tree.php.t 2005/07/27 23:39:08 1.82 +++ tree.php.t 2005/08/08 13:36:52 1.83 @@ -2,7 +2,7 @@ /** * copyright : (C) 2001-2004 Advanced Internet Designs Inc. * email : forum () prohost org -* $Id: tree.php.t,v 1.82 2005/07/27 23:39:08 hackie Exp $ +* $Id: tree.php.t,v 1.83 2005/08/08 13:36:52 hackie Exp $ ** This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the@@ -139,7 +139,7 @@ LEFT JOIN {SQL_TABLE_PREFIX}poll p ON m.poll_id=p.id'. (_uid ? ' LEFT JOIN {SQL_TABLE_PREFIX}poll_opt_track pot ON pot.poll_id=p.id AND pot.user_id='._uid : ' ').' WHERE - m.id='.$mid.' AND m.apr=1'); + m.id='.$mid.' AND m.apr=1 AND m.thread_id='.$th); if (!$msg_obj) { // invalid message id invl_inp_err();
Greatings, Alexander Heidenreich
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Fudforum: incompletely check of user rights in tree view gaining access to all messages Alexander Heidenreich (Aug 11)