e_Board version 4.0 is susceptible to a directory traversal attack.
49d8fea77c51cbb9c27281fce5a2c3752fd4ca40015f0bcfc4732b0dc78b8891
Hi,
I found a vulnerability in e_Board ver. 4.0 which allows remote
users to open any file on the system. I think all prior vers have
the same problem.
e_Board is a wwwboard-like CGI script. It's written by Mike Bagneski
in Perl (and for sale! $14.95).
http://www.e-scripts.com/eboard/
It doesn't check whether posted data contains null byte or slash,
so we can use rfp's Poison NULL byte and dir traversal technique... =)
an example:
http://www.e-scripts.com/cgi-bin/eboard40/index2.cgi?frames=yes&board=demo&mode=Current&threads=Collapse&message=../../../../../../../../../../../etc/passwd%00
quick fix:
die "invalid message number" if ($message !~ m/^\d+$/);
# insert this before:
# open(MESSAGE, "$board_path/$messages_dir/$message.txt") || &return_page('File Error', "Can't read $board_path/$messages_dir/$message.txt");
Thanks,
----
White_E
http://nogimmick.org/