exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

phox.txt

phox.txt
Posted Jun 21, 2005
Authored by Phox

myPHP version 3 suffers from some authentication flaws.

tags | advisory
SHA-256 | 7acb86e0cb84d96d1c0a4a8bad9fef5794155e64405dfc6914ef1930d430fdbc

phox.txt

Change Mirror Download


~ PHOX: myPHP v3 (Final) 'Sender/Poster Exploit' ~

###
# Content
###

- Credits
- 'sploit
- Solution

###
# Credits
###

Exploit discovered by Phox/Terencentanio/Phoxpherus of Root32.

Email: terencentanio.enache@btopenworld.com / terencentanio@root32.com

###
# 'sploit
###

There are two exploits here.

#1. Posting as someone else.

It's rather nooby, but the poster username is submitted in the form. Easily changed with a bit of JavaScript or an external form (JS is easier)

-----------------
JavaScript: void(document.input.nbuser.value="Admin"); alert(document.input.nbuser.value);
-----------------

This will change the poster username to "Admin" (can be edited to whatever username you like) and then it'll confirm success by alerting with the new name.

Then, you type your subject and body and post.

#2. Sending messages as someone else.

This is the same as the post one, but the JS is a bit different.

Load the page to send a PM to a user, then enter into the URL bar:

-----------------
JavaScript: void(document.forms[1].sender.value="Admin"); alert(document.forms[1].sender.value);
-----------------

When you send, it'll appear to them as being from "Admin" or whatever you change it to.

You can really do whatever you want with this.

###
# Solution
###

To solve these, you'll have to open post.php and privmsg.php

In post.php, pay a visit to line 82 and change "$nbuser = $_POST['nbuser'];" into "$nbuser = $_COOKIE['nbuser'];"

In privmsg.php, line 208, change "$sender = $_POST['sender'];" to "$sender = $_POST['sender'];"

There may be some other things that need changing. Due to limits on my time, and the fact that I found this sploit and am writing this while I should be working on a site, I can't go into everything and do proper tests, etc.

Vendor will be notified as soon as possible. Hopefully he'll take notice of this one (he ignored the last one)
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close