GulfTech Computers strives to beat the price(s) of any other business around.
Check with us first as it just may save you some time and money. And who doesn't want to
save money? Please contact us with any questions or inquiries.
SubScan v1.2 Scans a domain for DNS records and SubDomains. Very stealthy, and can be used
to find many hosts not on the public netblock. A very interesting tool to say the least.
Works on both Nix and Windows based systems. Get it now!
Download SubScan v1.2
You can use the form below to search our site. Just enter the keyword or keywords to search.
Multiple Vulnerabilities In OpenBB
April 24, 2022
||: OpenBB Group
||: Open Bulletin Board 1.0.6 && Earlier
||: Multiple Vulnerabilities
OpenBB is a fast, lightweight, powerful bulletin board written
in PHP/MySQL. Main features include: full customization via styles
templates, instant messaging, private messaging, categories, member
ranks, poll based threads, moderation, BB codes, thread notifications,
Avatars, member lists, private forums and more.
Cross Site Scripting:
OpenBB is prone to Cross Site Scripting in multiple files. This may
allow an attacker to run code in the context of a users browser, or
used to harvest sensitive information from a user such as cookie
information. Below are some examples of the XSS issues in OpenBB.
It may be possible for an attacker to execute arbitrary SQL queries
due to user supplied input not being properly sanitized. Lets have
a look at some code from one of the affected files .. post.php
// Check to make sure they are not posting to a category
$query_type = new query($SQL, "SELECT type FROM ".$prefix."forum_display
WHERE forumid = $FID");
$ftype = $query_type->field('type');
As we can see from this code, the $FID variable seems to get passed
directly to the query without being validated, thus allowing for
an attacker to execute malicious queries. This is not the only
vulnerable file though. Below are a list of similarly vulnerable
These files are prone to similar attacks because they allow input
that has not been validated to be executed in the query. This can
be used for example to pull users password hashes.
Arbitrary Command Execution:
This is really in my opinion at least, a very fundamental flaw. As
stated in the HTTP/1.1 RFC (RFC 2616 Section 9.1.1 "Safe Methods") no
GET request should be used to make any significant actions. This however
would not be such a big deal if there was some sort of auth key or
session id in place to verify the validity of actions, but there isn't.
In short all an attacker has to do is send an admin a pm, or make a
malicious post with the desired command and the action will silently
execute. For example below are some example administrative actions that
an attacker could include in an image tag or malicious link.
This kind of attack can also be used to run user and moderator commands
as seen below. These are only examples, not all the possibilities.
OpenBB actually tries to prevent these kind of attacks by filtering out
certain input as seen in /lib/codeparse.php but this does not work. Lets
have a look at the code.
if(!preg_match('#^(http|https)://(.*?)\.(gif|jpg|jpeg|png)$#', $inside) )
$return = '[ invalid image ]';
$return = '<img src="' .str_replace('"', '', $inside). '" alt="User-Posted
Image (tm)" border="0" />';
All an attacker has to do in order to have the command executed successfully
is make sure the url within the image tag ends with an allowed extension.
This is not very safe at all because we can make up a variable, add a good
extension and the code is still ran. For example
As we can see from the above examples, this issue can be used by a
malicious person to all but completely sabotage a site running OpenBB.
In the past I have seen phpBB for example deal with the same issue of
using unsafe GET requests by limiting the bbcode to only allow images
with a valid extension. However this is a bad idea because it does not
solve the problem at all, and to this day all phpBB versions are
vulnerable to having arbitrary posts deleted and more just by visiting
a malicious web page or link. It is a serious issue and should be
treated as such. It greatly impacts the security of a web application.
Even using the POST method without an auth key or the like is a bad idea
in my opinion.
These other issues I am about to describe have been discovered by a guy
named Manuel Lopez firstname.lastname@example.org and asked me to include them in this
OpenBB write up.
/* Snip */
Hi JeiAr, I am Manuel.
I have just read your post in OpenBB.
At March 24 2004 I alert Stu about some vulnerabilities that I have found on
March 20 2004, Stu
tell me .. "A verson 1.0.7 will be released ASAP".
I was having in mind publishing an advisory as soon as Stu released the new
/* Snip */
The issues are in the avatar feature and pm feature. From what I understand a
user can read arbitrary PM's just by specifying the message id. For example the
url might look something like this.
Where "INT" is there would be an integer specifying the message ID. The other
issue discovered by Manuel is the fact that you can upload any file as an avatar.
While this does not allow for php, or server side code execution, it does allow
for client side code (such as JS, VBS, etc) to be executed. The uploaded code
will then be available at the following url once uploaded.
Once again, just want to specify the last two vulnerabilities were discovered by
Manuel Lopez and not myself, he just asked if I would include them :)
Vendors were contacted many weeks ago and plan to release a fixed version soon. Check
the OpenBB website for updates and official release details.
Credits go to JeiAr of the GulfTech Security Research Team.