The ADP Forum v2.0.2 contains vulnerabilities which allow remote users to delete accounts, read encrypted passwords, and take admin access.
fac6bda213743acedaec62da8da9907f6ad07a7c30fcf40dde14e6e60ccc7ad6
<html><div style='background-color:'><DIV></DIV>
<DIV></DIV>
<P>ADP Forum 2.0.2</P>
<P>ADP Forum is a Forum that saves data in TXT files. It doesn't use SQL database. In the config.php file , you should assign the administrator account by which the forum is going th be controlled .</P>
<P>--- snip ----<BR>$admin_user="admin";<BR>--- snip ----</P>
<P>Another point is that in the Users folder , the user name ( the member info ) is saved on TXT . For example , if we assign the nick name "admin" for administrator , the file will look like this : ../users/admin.txt .</P>
<P>According to variable (variable) $admin_user , the administrator is "admin" , the file that belongs the this user will be : ../users/admin.txt . This file contains the encrypted password . In addition to that , there is an code in template.php file and I will try explain how it works in short .</P>
<P>--- snip ---</P>
<P>$messread = fopen("$mess_dir/$nm.txt", "r");<BR>$messaggio = fread($messread, filesize("$mess_dir/$nm.txt"));<BR>fclose($messread);</P>
<P>--- snip ---</P>
<P>The threads posted by the members are automatically saved in messaggi folder which it variable value is : (variable) $mess_dir , also the variable (variable) $nm determines the file that contains the thread .</P>
<P>You can assign for the variable $nm a value through the URL . so what if you assign for ( ../users/admin ) the following :</P>
<P><A href="http://vulnerable.site.com/fourm/template.php?nm=../users/admin">http://vulnerable.site.com/fourm/template.php?nm=../users/admin</A></P>
<P>it will be open the file , but the file will be empty. Certainly , you know why this happened .</P>
<P>This vulnerability exists in many places , including the reply.php file . it's only simple procedure that enables you to read that files in ../users and delete them , the files can be written in ../messaggi with a different name .</P>
<P>Surely , this action will lead you to delete the admin . Try this , put this URL :</P>
<P><A href="http://vulnerable.site.com/forum/reply.php?nm=../users/admin">http://vulnerable.site.com/forum/reply.php?nm=../users/admin</A></P>
<P>Name rootextractor <BR>Username Only for members <BR>Password Only for members <BR>E-mail <A href="mailto:condor@phreaker.net">condor@phreaker.net</A> <BR>Subject [ huh ] <BR>Message huh too</P>
<P>Then press post . now you have deleted the file ../users/admin.txt , and you have written on identical copy of it in messaggi folder with the name , let's say 1029201290.txt .</P>
<P>Go now and register by the name "admin" , and you will have the admin's permissions .</P>
<P>There is also another problem , in the Upload Avatar that comes along with the Member Profile , anyone can upload any kind of files like ( .cgi , .php , .py ) not only pictures . There are no filter !!! </P>
<P><BR>condor <A href="mailto:condor@phreaker.net">condor@phreaker.net</A><BR>CompuMe <A href="mailto:compume2000@hotmail.com">compume2000@hotmail.com</A><BR><A href="http://www.angels-bytes.com/">http://www.angels-bytes.com/</A> <BR><BR><BR></P>
<P>________</P>
<DIV></DIV>
<P><STRONG><FONT color=#ff0000 size=2>-----BEGIN GEEK CODE BLOCK----- <BR> Version: 3.12 <BR> GCS dpu s:- a-- C++ UL P L++ E-- W++ N* o K- w-- <BR> O-- M-- V- PS PE-- Y- PGP--- t--- 5-- X+ R+ tv+ b+ DI-- D+ <BR> G e h! r- y? <BR> ------END GEEK CODE BLOCK------</FONT></STRONG><BR><BR><BR><IMG height=1 src="http://3.biological.ws/cgi-bin/advr.cgi" width=1 border=0 1></P>
<DIV></DIV></div><br clear=all><hr>Chat with friends online, try MSN Messenger: <a href='http://g.msn.com/1HM1ENXX/c144??PS=47575'>Click Here</a><br></html>