SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   WoltLab Burning Board (wBB) Vendors:   Woltlab
WoltLabs Burning Board PHP-based Forum Discloses the Web Root Directory Locatoin
SecurityTracker Alert ID:  1002868
SecurityTracker URL:  http://securitytracker.com/id/1002868
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 30 2001
Impact:   Disclosure of user information
Exploit Included:  Yes  
Version(s): 1.0 an 1.1
Description:   An information disclosure vulnerability has been reported in WoltLabs Burning Board. A remote user can determine the location of the web root directory.

It is reported that a flaw in the _functions.php module allows a remote user to determine the location of the web root directory on the server. If a remote user calls _functions.php and "$user_id" and "$user_password" are not defined and the remote user is logged out, the remote user can specify a value for the $templatefolder variable. The following URL is an example:

http://[target]/_functions.php?templatefolder=3D./NOT_A_VALID_FOLDER

In response to this URL, the server will return a warning message that discloses the server's web root directory, indicating that the file could not be found:

Warning: file("./NOT_A_VALID_FOLDER/lg_anonymous.htm") - No such file or directory in /home/vhosts/target-com/htdocs/_functions.php on line 878

Warning: Bad arguments to implode() in /home/vho..blah blah blah

Impact:   A local user can determine the location of the web root directory.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.woltlab.com/ (Links to External Site)
Cause:   Access control error, Exception handling error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  woltlab burning board 1.0 and 1.1 shows web root directory to remote users



I've discovered a bug in Woltlabs Burning Board 1.0 an 1.1 that shows the
webservers root directory. You'll find a detailed description in the text
file.

------=_NextPart_000_001B_01C179BE.8ECECFF0
Content-Type: text/plain;
	name="wbb.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="wbb.txt"

Woltlab Burning Board 1.0 Beta 4.5 and wbb 1.1 shows web root directory:

Vendor: http://www.woltlab.com/
vulnerable Versions: 1.0 ; 1.1

Example:
http://www.woltlab.com/de/forum/_functions.php?templatefolder=3D./NOT_A_V=
ALID_FOLDER


There is a small bug in _functions.php that let's a remote user see the =
servers webroot.
not very dangerous but still a bug..
When "_functions.php" is called, it checks if "$user_id" and =
"$user_password" are defined.
If not, and if you are logged out(immportant), it executes the =
following:

	eval ("\$user_name =3D \"".gettemplate("lg_anonymous")."\";");

(btw. we're able to change $user_name's value but that doesn't matter =
cause it's never used again in "_functions.php",
 and i think the board does use other variables to authenticate the =
user. :/ )

So let's see what gettemplate is doing:

function gettemplate($template,$endung=3D"htm") {
        global $templatefolder;
        if(!$templatefolder) $templatefolder =3D "templates";
        return =
str_replace("\"","\\\"",implode("",file($templatefolder."/".$template."."=
.$endung)));
}


Examining the script we can see that $tamplatefolder is undeclared, so =
we can declare it in our url!
So let's test the following:

	http://[target]/_functions.php?templatefolder=3D./NOT_A_VALID_FOLDER

What we get back is a warning message containging the servers web root, =
cause the file couldn't be found:

Warning: file("./NOT_A_VALID_FOLDER/lg_anonymous.htm") - No such file or =
directory in /home/vhosts/target-com/htdocs/_functions.php on line 878

Warning: Bad arguments to implode() in /home/vho..blah blah blah=20

The second warning is besause implode doesn't get a string.


Too bad that quotes are filtered out by the "str_replace" in =
"gettemplate()", cause we could specify "http://yourhost.com" as the =
directory,
the script would fetch "http://yourhost.com/lg_anonymous.htm" and later =
eval it's value.. Then we could use the
eval command to execute arbitary code, by useing quotes and stuff.. ;)



It would be a good thing not to let the user change the value of =
"$templatefolder".

That's all :)

Markus Arndt
markus-arndt@web.de
------=_NextPart_000_001B_01C179BE.8ECECFF0--



--------------C7E5A8D725A84A8E7D8DA12F--



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC