ADP Forum 2.0.2

ADP Forum is a Forum that saves data in TXT files. It doesn't use SQL database. In the config.php file , you should assign the administrator account by which the forum is going th be controlled .

--- snip ----
$admin_user="admin";
--- snip ----

Another point is that in the Users folder , the user name ( the member info ) is saved on TXT . For example , if we assign the nick name "admin" for administrator , the file will look like this : ../users/admin.txt .

According to variable   (variable)   $admin_user  , the administrator is "admin" , the file that belongs the this user will be : ../users/admin.txt . This file contains the encrypted password . In addition to that , there is an code in template.php file and I will try explain how it works in short .

--- snip ---

$messread = fopen("$mess_dir/$nm.txt", "r");
$messaggio = fread($messread, filesize("$mess_dir/$nm.txt"));
fclose($messread);

--- snip ---

The threads posted by the members are automatically saved in messaggi folder which it variable value is : (variable) $mess_dir , also the variable (variable) $nm determines the file that contains the thread .

You can assign for the variable $nm a value through the URL . so what if you assign for ( ../users/admin ) the following :

http://vulnerable.site.com/fourm/template.php?nm=../users/admin

it will be open the file , but the file will be empty. Certainly , you know why this happened .

This vulnerability exists in many places , including the reply.php file . it's only simple procedure that enables you to read that files in ../users and delete them , the files can be written in ../messaggi with a different name .

Surely , this action will lead you to delete the admin . Try this , put this URL :

http://vulnerable.site.com/forum/reply.php?nm=../users/admin

Name rootextractor 
Username  Only for members  
Password  Only for members  
E-mail condor@phreaker.net 
Subject  [ huh ] 
Message  huh too

Then press post . now you have deleted the file ../users/admin.txt , and you have written on identical copy of it in messaggi folder with the name , let's say 1029201290.txt .

Go now and register by the name "admin" , and you will have the admin's permissions .

There is also another problem , in the Upload Avatar that comes along with the Member Profile , anyone can upload any kind of files like ( .cgi , .php , .py ) not only pictures . There are no filter !!! 


condor condor@phreaker.net
CompuMe compume2000@hotmail.com
http://www.angels-bytes.com/ 


________

-----BEGIN GEEK CODE BLOCK-----
 Version: 3.12
 GCS dpu s:- a-- C++ UL P L++ E-- W++ N* o K- w--
 O-- M-- V- PS PE-- Y- PGP--- t--- 5-- X+ R+ tv+ b+ DI-- D+
 G e h! r- y?
 ------END GEEK CODE BLOCK------



Chat with friends online, try MSN Messenger: Click Here