~ PHOX: myPHP v3 (Final) 'Sender/Poster Exploit' ~

###
# Content
###

 - Credits
 - 'sploit
 - Solution

###
# Credits
###

Exploit discovered by Phox/Terencentanio/Phoxpherus of Root32.

Email: terencentanio.enache@btopenworld.com / terencentanio@root32.com

###
# 'sploit
###

There are two exploits here.

#1. Posting as someone else.

It's rather nooby, but the poster username is submitted in the form. Easily changed with a bit of JavaScript or an external form (JS is easier)

-----------------
JavaScript: void(document.input.nbuser.value="Admin"); alert(document.input.nbuser.value); 
-----------------

This will change the poster username to "Admin" (can be edited to whatever username you like) and then it'll confirm success by alerting with the new name.

Then, you type your subject and body and post.

#2. Sending messages as someone else.

This is the same as the post one, but the JS is a bit different.

Load the page to send a PM to a user, then enter into the URL bar:

-----------------
JavaScript: void(document.forms[1].sender.value="Admin"); alert(document.forms[1].sender.value);
-----------------

When you send, it'll appear to them as being from "Admin" or whatever you change it to. 

You can really do whatever you want with this. 

###
# Solution
###

To solve these, you'll have to open post.php and privmsg.php

In post.php, pay a visit to line 82 and change "$nbuser = $_POST['nbuser'];" into "$nbuser = $_COOKIE['nbuser'];"

In privmsg.php, line 208, change "$sender = $_POST['sender'];" to "$sender = $_POST['sender'];"

There may be some other things that need changing. Due to limits on my time, and the fact that I found this sploit and am writing this while I should be working on a site, I can't go into everything and do proper tests, etc.

Vendor will be notified as soon as possible. Hopefully he'll take notice of this one (he ignored the last one)