SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Ikonboard Vendors:   Ikonboard.com
Ikonboard Bulletin Board Cookie Input Validation Flaw Lets Remote Users Write to Files on the System
SecurityTracker Alert ID:  1002662
SecurityTracker URL:  http://securitytracker.com/id/1002662
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 30 2001
Impact:   Modification of user information, User access via network

Version(s): ib219 and prior versions
Description:   China Net Security Technology Corporation reported an input validation flaw in the Ikonboard bulletin board software. A remote user can write to files on the system and can gain bulletin board administrator access. In some cases, remote code execution may be possible.

It is reported that the software does not filter "../" character strings from the authentication cookies and also uses the cookie name as a file name. As a result, a remote user can send those characters within a cookie to write to files on the system with the privileges of the web server.

It is reported that this exploit may also be used to execute arbitrary commands on the system.

The vendor has reportedly been notified.

Impact:   A remote user can write to files on the system with web server privileges and can gain bulletin board administrator privileges. In some cases, the remote user may be able to execute arbitrary code on the server with the privileges of the web server.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.ikonboard.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Ikonboard Cookie filter vulnerability


---------------------------------------------------------------------------
Ikonboard Cookie filter vulnerability
---------------------------------------------------------------------------

Release infomation
------------------

Found   Date: 2001-9-03 
Release Date: 2001-10-30
Author: chenjun@netguard.com.cn
Homepage: http://www.netguard.com.cn


Description
-----------

   Ikonboard is a widely used web bbs program written by perl. The program contained a vulnerability, Remote attacker can exploit
 it and get a bbs administrator's privilege. In some environment, attacker may gain a nobody shell or gain the machine's privilege.
 
   

Version and Platform
--------------------

Affected  Version: Ikonboard ib219 and all older version
Affected Platform: Windows,Linux, Solaris sparc, Solaris x86, AIX, HP, Digital, IRIX, SCO etc.


Details
-------

File:Search.cgi
---[L.55-56]---
$inmembername     = cookie("amembernamecookie");
$filename = $inmembername;
---
As we can see, $inmembername is the get for cookie 'amembernamecookie'
---[L.66-]---
$searchfilename = "$ikondir" . "search/$filename";
---


---[L.124-131]---
    open (SEARCH, ">$searchfilename") or die "Cannot save to the search folder";
    print SEARCH "$CUR_TIME\n";
    print SEARCH "$SEARCH_STRING\n";
    print SEARCH "$TYPE_OF_SEARCH\n";
    print SEARCH "$REFINE_SEARCH\n";
    print SEARCH "$FORUMS_TO_SEARCH\n";
    close (SEARCH);
---

---
Well, it sets the file, runs it through the filter and opens it.
-> $cookie("amembernamecookie");, remember?! ;)

Here the variable $filename come from Cookie amembernamecookie not filter "..", attacker can sent a fake cookie("amembernamecookie"),
 set up or edit the file on the system, because the write file variable not filter, so the attacker can write any content to the file,
 and gain the bbs administrator's privilege.

On UNIX like system, if you system is php enable, you can use the upload function, upload a php script to run command.

On Windows system, because it's weakness of runing perl script, attacker can use this vulnerability set up a perl script to run command.

Prove-Of-Concept exploit
------------------------

wait for vendor fix it first ;)

Workaround
----------

1.about the Cookie
at file Search.cgi before line 56 $filename = $inmembername;
add below:
$inmembername =~ s/\///g;
$inmembername =~ s/\.\.//g;

2.filter all write file variable 

Vendor information
------------------

Vendor was informed at 2001-10-29
Vendor Homepage: http://www.leoboard.com


About Netguard
--------------

China Net Security Technology Corporation (CNTC) is a leading provider of computer network and information security services in China.

Copyright 2001 http://www.netguard.com.cn, All rights reserved.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC