Ikonboard Bulletin Board Software Allows Remote Viewing of Files and Directories Outside of The Software's Root Directory
SecurityTracker Alert ID: 1001068|
SecurityTracker URL: http://securitytracker.com/id/1001068
(Links to External Site)
Date: Mar 12 2001
User access via network|
Exploit Included: Yes |
It is reported that Ikonboard bulletin board software for web sites contains a vulnerability that allows remote users to view files on the server that reside outside of the product's root directory.|
The problem reportedly resides in the help.cgi file which does not fileter out the backslash or ".." characters. This allows the attacker to specify any path on the system.
Some demonstration exploit URL formats are provided in the original report.
The vendor has been contacted.
A remote user with access to the web server could request and view files and directories outside of Ikonboard's root directory.|
No solution was available at the time of this entry.|
Vendor URL: www.ikondiscussion.com/ikonboard/ (Links to External Site)
Input validation error|
|Underlying OS: Windows (NT), Windows (2000)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: Ikonboard v2.1.7b "show files" vulnerability|
-[ Product: Ikonboard
-[ Version: 2.1.7b
-[ OS: Unix, NT
-[ Vendor: Notified, http://www.ikonboard.com
-=[ Summary ]=-
This is another bug in the Ikonboard.
Anyone can read any file on the remote system with
the privileges of the web server.
-=[ Problem ]=-
$inhelpon = $query -> param('helpon');
As we can see, $inhelpon is the input for 'helpon'
$filetoopen = "$ikondir" . "help/$inhelpon.dat";
$filetoopen = &stripMETA($filetoopen);
open (FILE, "$filetoopen") or die "Cannot locate the required files";
Well, it sets the file, runs it through the filter and opens it.
-> $inhelpon, remember?! ;)
Ok, i am not going to post the whole filter it uses because they really
been able to write a filter that is 24 lines long.
And they finally forgot to filter the backslash, so we can easily just
attach the 'poison null-byte' to '$inhelpon' and we escape the '.dat'.
And of course the scripts doesn't check for "..", so we can specifiy
path we want.
-=[ Exploit ]=-
- would show the password file, if it is readable with the privileges of
- replace <member> with the member name and it shows you his/her
(works with Administrator accounts too)
-=[ Patches ]=-
Not yet available.
You could fix the script temporary by inserting the following line under
line 45 in 'help.cgi':
$inhelpon =~ s/\///g;
This is lame, but it works.
-=[ Greetings ]=-
Neilk - learned alot from you!
Marc Ruef - I promised it ;)
DukeCS - thanks for everything!
Marko - thanks for your help!
Tribunal - you taught me alot, thanks
ICB - long time no speak
Svoern - "go get 'em" ;)
Martin J. Muench <firstname.lastname@example.org>
"Perl - The only language that looks the same before and after RSA
- Keith Bostic