miniBB ® 

miniBB

®
Support Forums
  
 | Start | Register | Search | Statistics | File Bank | Manual |
Bugs miniBB Support Forums / Bugs /  
 

[?] Is it a file inclusion bug or not

 
Author Paul
Lead Developer 
#1 | Posted: 19 Jun 2007 04:43 
As reported today by our customer, recently an issue has been posted on security focus site which can be found under the URL:

http://www.securityfocus.com/bid/24503/info

It says the issue is about "Input Validation Error" and the code under "Exploit" section provides the algorithm, which tries to register on miniBB forums and instead of 3-chars language value supply the path and name of the file which could be included later as the "language" file, that way its content could be shown to the attacker.

I may be wrong, I may be true, but here is what I think: this is just another "fake" hack which just emulates the understanding that there is something vulnerable, at the time there is nothing vulnerable at all.

I've met couple of such hacks in the past.

Now, mine proof-of-concept:

1. Exploit page says "Attackers can use a browser to exploit this issue", but the code provided does not allow it at all. The hack suggests to run itself in the command line. In general, you may use the browser submitting your own "modified" registration page where the language value is substituted, however this does not change things a lot. Read below.

2. The code supplied tries to substitute $language variable with the file name to include. It is obvious that variable $language is not checked in the bb_func_regusr.php file which handles the registration process, however it is doubtful that it will work.

First, a database field can handle just 3 chars (as by default in miniBB's structure). mySQL will cut off this value down to 3 chars not depending what is specified.

Second, even if the database scructure would allow your script to save "language" value in database this way, this value is stripped of slashes, backslashes and dots in index.php before including the file. See the checking routine right after the string in index.php which says

user_logged_in();

As a result I would like to read other opinions regarding this case... before issuing "a solution" :-) Maybe the solution would be just to post on securityfocus that another student from Iran crashed his reputation in the hackers underground.

Bugs miniBB Support Forums / Bugs /
 [?] Is it a file inclusion bug or not
 Share Topic's Link

Your Reply Click this icon to move up to the quoted message


  ?
Post as a Guest, leaving the Password field blank. You could also enter a Guest name, if it's not taken by a member yet. Sign-in and post at once, or just sign-in, bypassing the message's text.


Before posting, make sure your message is compliant with forum rules; otherwise it could be locked or removed with no explanation.

 

 
miniBB Support Forums Powered by Forum Software miniBB ® Home  Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contact Us
Get the Captcha add-on: protect your miniBB-forums from the automated spam and flood.


  ⇑