Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Several bugs found in "Spyke's PHP Board"

From: "Marc Bromm" <theblacksheep () fastmail fm>
Date: Mon, 09 Jun 2003 09:25:19 -0800
 ================================================
<------------------------------------------------>
<------------#www.bright-shadows.net#------------>
<------------------------------------------------>
<--------------#theblacksheep&erik#-------------->
<------------------------------------------------>
 ================================================

Advisory Information
--------------------
Advisory Name      : Several bugs found in "Spyke's PHP Board"
Author             : Marc Bromm <theblacksheep () fastmail fm> Germany
Discover by        : Marc Bromm <theblacksheep () fastmail fm> Germany
Release Date       : 9. June 2003
Application        : Spyke's PHP Board (textfile based board)
Vendor Homepage    : http://www.spyke-online.de
Vulnerable Versions: v2.1 (maybe older)
Platforms          : OS Independent, PHP
Severity           : High 

######Overview:

"Spyke's PHP Board" is a small textfile based PHP board. You have to
register to write messages. Also an admin area exist. There you can
add/delete threads, add/delete topics. 
The website www.spyke-online.de is the official website where you can get
it.

######Exploit:

1. Get userinformation
 
All information of a user like password (plaintext), e-mail, icq number,
signatur ... are stored in textfiles in the directory "user/".
Every file has the name of the user.

So if you register as "theblacksheep" your information are stored in:

user/theblacksheep.txt

So it is possible for you to open the files with your browser to get the
information. 


2. Get the admin password and username

In the root directory you can find a file called "info.dat". It looks
like:

      <?php
        $boardname="Spykes PHP Board";
        $hintergrund="#C0C0C0";
        $linkfarbe="#333333";
        $table1="#606060";
        $table2="#F0F0F0";
        $table3="#A0A0A0";
        $text="#000000";
        $adminname="adminname";
        $adminpw="adminpassword";
        $topicdelzahl="15";
        $phpendung = ".php";
      ?>

So only open this file with your browser and get the admin information.
Then you can log in as admin. So you have full control.

Also some more bugs exist. So it is also possible to:

--> Create topic in not existing thread (found by DigitalAcid)
--> Change anyone's account without knowing their password (FirebirdGM)


######Fix:

It is not possible to fix that holes. (You can do it but then you have to
change everything [how the whole information are stored]) 

######Vendor Response:

For "Spyke PHP Board" no support exist.

Greetz to:

erik, FirebirdGM, DigitalAcid

==================================================
-- 
  
  theblacksheep () fastmail fm

-- 
http://www.fastmail.fm - Or how I learned to stop worrying and
                          love email again
Previous By Date Next
Previous By Thread Next

Current thread: