Aterr Forums Multiple Vulnerabilities SUMMARY -------- Aterr is a threaded forum system allowing registered visitors to express their opinions, discuss topics, and debate with other visitors. A threaded forum system differs from regular, flat forum systems in that once posted, a thread can fork, allowing visitors to reply directly to other posts. aterr also provides a customisable permissions system, the ability to nest forums, and moderation tools. IMPACT ------- Can lead to Disclosure of system information, Disclosure of user information and Modification of forum setup. VERSIONS --------- Vulnerable systems: * Aterr versions prior to 0.4 Immune systems: * Aterr version 0.5 DESCRIPTION #1 - Modification of Forum Setup -------------- The file forums.php fails to check that an administrator has the correct privileges to log into the admin panel and edit the forum setup such as changing the logo, title etc. Proof of Concept: www.yoursite.com/forums/forums.php?op=admin&sub=config Fix: Add the following too forums.php starting at line 1393 : 1393 : if (!permission::has_flag('forums', F_FORUM_EDIT)) 1394 : { 1395 : redirect('http://' . $config['domain_name'] . $config['install_path'] . forums::furl('admin')); 1396 : } DESCRIPTION #2 - Disclosure of User Information -------------- Not filtering HTML of the Topic header allows XSS exploits to be added to any forum post. Proof of Concept: Enter the following as a topic header: FIX: None given, upgrade to new version. DESCRIPTION #3 - Disclosure of System Information -------------- No check is made to see if a vaild profile has been selected. When a invaild profile has been requested the forum discloses full path information to the user. Proof of Concept: www.yoursite.com/forums/accounts.php?op=viewprofile&u= FIX: None given, upgrade to new version. ADDITIONAL INFORMATION ----------------------- Vendor URL - http://chimaera.starglade.org Underlying OS - Linux (Any), UNIX (Any), Windows (Any) Credit - Jay Scott