'Ikonboard Cookie filter vulnerability'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Ikonboard Cookie filter vulnerability
From:       Chen Jun <chenjun () netguard ! com ! cn>
Date:       2001-10-30 6:56:55
[Download RAW message or body]

---------------------------------------------------------------------------
Ikonboard Cookie filter vulnerability
---------------------------------------------------------------------------

Release infomation
------------------

Found   Date: 2001-9-03 
Release Date: 2001-10-30
Author: chenjun@netguard.com.cn
Homepage: http://www.netguard.com.cn


Description
-----------

   Ikonboard is a widely used web bbs program written by perl. The program contained \
a vulnerability, Remote attacker can exploit it and get a bbs administrator's \
privilege. In some environment, attacker may gain a nobody shell or gain the \
machine's privilege.   

Version and Platform
--------------------

Affected  Version: Ikonboard ib219 and all older version
Affected Platform: Windows,Linux, Solaris sparc, Solaris x86, AIX, HP, Digital, IRIX, \
SCO etc.


Details
-------

File:Search.cgi
---[L.55-56]---
$inmembername     = cookie("amembernamecookie");
$filename = $inmembername;
---
As we can see, $inmembername is the get for cookie 'amembernamecookie'
---[L.66-]---
$searchfilename = "$ikondir" . "search/$filename";
---


---[L.124-131]---
    open (SEARCH, ">$searchfilename") or die "Cannot save to the search folder";
    print SEARCH "$CUR_TIME\n";
    print SEARCH "$SEARCH_STRING\n";
    print SEARCH "$TYPE_OF_SEARCH\n";
    print SEARCH "$REFINE_SEARCH\n";
    print SEARCH "$FORUMS_TO_SEARCH\n";
    close (SEARCH);
---

---
Well, it sets the file, runs it through the filter and opens it.
-> $cookie("amembernamecookie");, remember?! ;)

Here the variable $filename come from Cookie amembernamecookie not filter "..", \
attacker can sent a fake cookie("amembernamecookie"), set up or edit the file on the \
system, because the write file variable not filter, so the attacker can write any \
content to the file, and gain the bbs administrator's privilege.

On UNIX like system, if you system is php enable, you can use the upload function, \
upload a php script to run command.

On Windows system, because it's weakness of runing perl script, attacker can use this \
vulnerability set up a perl script to run command.

Prove-Of-Concept exploit
------------------------

wait for vendor fix it first ;)

Workaround
----------

1.about the Cookie
at file Search.cgi before line 56 $filename = $inmembername;
add below:
$inmembername =~ s/\///g;
$inmembername =~ s/\.\.//g;

2.filter all write file variable 

Vendor information
------------------

Vendor was informed at 2001-10-29
Vendor Homepage: http://www.leoboard.com


About Netguard
--------------

China Net Security Technology Corporation (CNTC) is a leading provider of computer \
network and information security services in China.

Copyright 2001 http://www.netguard.com.cn, All rights reserved.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic