MHL-2006-004 - Public Advisory +-----------------------------------------------------------+ | mboard Security Issue | +-----------------------------------------------------------+ PUBLISHED ON November 26th, 2006 PUBLISHED AT http://www.mayhemiclabs.com/advisories/MHL-2006-004.txt http://www.mayhemiclabs.com/wiki/wikka.php?wakka=MHL2006004 PUBLISHED BY Mayhemic Labs http://www.mayhemiclabs.com security AT mayhemiclabs DOT com GPG key: 0x56143F84 APPLICATION MBoard - PHP message board http://www.phpjunkyard.com/php-message-board.php "MBoard is a PHP message board script (a simple forum)." AFFECTED VERSIONS Versions 1.22 and below ISSUES MBoard does not check the Post ID for malicious data when replying, allowing an attacker to create blank files on the system wherever the web server has write access. Example: An attacker can reply to a message, and edit the "orig_id" variable to something malicious ("../../../../../../tmp/ZOMGHAX") mboard will then create the specified file (appending the configured extension. WORKAROUNDS Enabling Magic Quotes will negate the issue. SOLUTIONS Upgrade to version 1.3 REFERENCES MBoard - http://www.phpjunkyard.com/php-message-board.php TIMELINE October 11th, 2006 Vendor/Developer Notified Vendor/Developer Response Recieved October 25th, 2006 Vendor/Developer Followup Vendor/Developer Response Recieved November 16th, 2006 Vendor/Developer Followup November 18th, 2006 New Version Released November 26th, 2006 Advisory Released ADDITIONAL CREDIT N/A LICENSE Creative Commons Attribution-ShareAlike License http://creativecommons.org/licenses/by-sa/2.5