SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Easy Message Board Vendors:   Dumitrascu, Stelian
Easy Message Board Input Validation Hole Discloses Files to Remote Users and Lets Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1013920
SecurityTracker URL:  http://securitytracker.com/id/1013920
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 9 2005
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  

Description:   SoulBlack Security Research reported some vulnerabilities in Easy Message Board. A remote user can view files on the target system. A remote user can also execute arbitrary commands.

The 'easymsgb.pl' script does not properly validate user-supplied input in the 'print' parameter. A remote user can supply a specially crafted parameter value containing '../' directory traversal characters to view files on the target system. A remote user can also supply a specially crafted value to execute arbitrary commands on the target system. The commands will run with the privileges of the target web service.

Some demonstration exploit URLs are provided:

http://[target]/cgi-bin/emsgb/easymsgb.pl?print=../../../../../../../../etc/passwd

http://[target]/cgi-bin/emsgb/easymsgb.pl?print=|id|

The original advisory is available at:

http://www.soulblack.com.ar/repo/papers/easymsgb_advisory.txt

Impact:   A remote user can view files on the target system.

A remote user can execute arbitrary commands on the target system with the privileges of the target web service.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.geocentral.net/colscripts/emsgb/index.html (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Easy Message Board Directory Traversal and Remote Command


============================================================

============================================================
Title: Easy Message Board Directory Traversal and Remote Command Execution
Vulnerability discovery: SoulBlack - Security Research -
http://soulblack.com.ar
Date: 08/05/2005
Severity: High. Remote Users Can Execute Arbitrary Code.
Affected version: Easy Message Board
Vendor: http://www.geocentral.net/colscripts/index.html
============================================================

============================================================

* Summary *

Easy Message Board is "Easy Message Board"

------------------------------------------------------------------------------------------------------------------------

* Technical Description *


A new vulnerability was identified in Easy Message Board, which may be
exploited by attackers to compromise a vulnerable web server. This
flaw is due to an input validation error in the "easymsgb.pl" script
where the variable print that is put under "open()", does not have a
control of data, which may be exploited by a remote attacker to
execute arbitrary commands with the privileges of the web server.

------------------------------------------------------------------------------------------------------------------------

* Example *

http://SITE/cgi-bin/emsgb/easymsgb.pl?print=../../../../../../../../etc/passwd
http://SITE/cgi-bin/emsgb/easymsgb.pl?print=|id|

------------------------------------------------------------------------------------------------------------------------

* Fix *

Contact the Vendor.

------------------------------------------------------------------------------------------------------------------------

* References *

http://www.soulblack.com.ar/repo/papers/easymsgb_advisory.txt 

------------------------------------------------------------------------------------------------------------------------

* Credits *

Vulnerability reported by SoulBlack Security Research

============================================================
--
SoulBlack - Security Research
http://www.soulblack.com.ar
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC