lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050120053845.6742.qmail@www.securityfocus.com>
Date: 20 Jan 2005 05:38:45 -0000
From: <advisory@...security.com>
To: bugtraq@...urityfocus.com
Subject: STG Security Advisory: [SSA-20050120-22] JSBoard file disclosure
    vulnerability




STG Security Advisory: [SSA-20050120-22] JSBoard file disclosure
vulnerability.

Revision 1.0
Date Published: 2005-01-20 (KST)
Last Update: 2005-01-20 (KST)
Disclosed by SSR Team (advisory@...security.com)

Summary
========
JSBoard is one of widely used web BBS applications in Korea. Because of an
input validation flaw, a malicious attacker can read arbitrary files.

Vulnerability Class
===================
Implementation Error: Input validation flaw

Impact
======
Medium : arbitrary file disclosure

Affected Products
================
JSBoard 2.0.9 and prior.

Vendor Status: FIXED
====================
2004-12-31 Vulnerability found.
2004-12-31 JSBoard developer notified.
2005-01-02 Developer confirmed.
2005-01-02 Update version released.
2005-01-20 Official release.

Details
=======
PHP has a feature discarding the input values containing null characters
when magic_quotes_gpc = off. Because JSBoard session.php doesn't sanitize
$table variable, a malicious attacker can read arbitrary files.

- ---
include_once "include/print.php";
parse_query_str();
$opt = $table ? "&table=$table" : "";
$opts = $table ? "?table=$table" : "";
...snip...
- ---

Proof of Concept
================
A local web proxy (e.g., Achilles) is required to prove the vulnerability.

http://[victim]/session.php?logins=true&m=logout&table=../../../../../../etc
/passwd%00

Solution
=========
Upgrade to 2.0.10
http://kldp.net/frs/download.php/1729/jsboard-2.0.10.tar.gz

Vendor URL
==========
http://kldp.net/projects/jsboard/

Credits
======
Jeremy Bae at STG Security


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ