MHL-2006-004 - Public Advisory

+-----------------------------------------------------------+
|                mboard Security Issue                      |
+-----------------------------------------------------------+


PUBLISHED ON
  November 26th, 2006


PUBLISHED AT
  http://www.mayhemiclabs.com/advisories/MHL-2006-004.txt
  http://www.mayhemiclabs.com/wiki/wikka.php?wakka=MHL2006004


PUBLISHED BY
  Mayhemic Labs
  http://www.mayhemiclabs.com

  security AT mayhemiclabs DOT com
  GPG key: 0x56143F84


APPLICATION
  MBoard - PHP message board
  http://www.phpjunkyard.com/php-message-board.php

  "MBoard is a PHP message board script (a simple forum)."


AFFECTED VERSIONS
  Versions 1.22 and below


ISSUES
  MBoard does not check the Post ID for malicious data when replying,
  allowing an attacker to create blank files on the system wherever
  the web server has write access.

  Example: An attacker can reply to a message, and edit the "orig_id"
  variable to something malicious ("../../../../../../tmp/ZOMGHAX")
  mboard will then create the specified file (appending the
  configured extension.

WORKAROUNDS
  Enabling Magic Quotes will negate the issue.


SOLUTIONS
  Upgrade to version 1.3


REFERENCES
  MBoard - http://www.phpjunkyard.com/php-message-board.php


TIMELINE
  October 11th, 2006
    Vendor/Developer Notified
    Vendor/Developer Response Recieved

  October 25th, 2006
    Vendor/Developer Followup
    Vendor/Developer Response Recieved
    
  November 16th, 2006
    Vendor/Developer Followup

  November 18th, 2006
    New Version Released
    
  November 26th, 2006
    Advisory Released

        
ADDITIONAL CREDIT
  N/A

LICENSE
  Creative Commons Attribution-ShareAlike License
  http://creativecommons.org/licenses/by-sa/2.5