SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   JSBoard Vendors:   Kim, Byungchan et al
JSBoard 'session.php' Input Validation Flaw Discloses Files to Remote Users
SecurityTracker Alert ID:  1012949
SecurityTracker URL:  http://securitytracker.com/id/1012949
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 20 2005
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.0.9 and prior
Description:   Jeremy Bae at STG Security reported a vulnerability in JSBoard. A remote user can view arbitrary files.

The 'session.php' script does not properly validate the user-supplied 'table' variable. If magic_quotes_gpc is set to 'off' in the 'php.ini' configuration file, then a remote user can supply a specially crafted URL to view files on the target system with the privileges of the target web service.

A demonstration exploit URL is provided:

http://[target]/session.php?logins=true&m=logout&table=../../../../../../etc/passwd%00

The vendor was notified on December 31, 2004.

Impact:   A remote user can view files on the target system with the privileges of the target web service.
Solution:   The vendor has issued a fixed version (2.0.10), available at:

http://kldp.net/frs/download.php/1729/jsboard-2.0.10.tar.gz

Vendor URL:  kldp.net/projects/jsboard/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  STG Security Advisory: [SSA-20050120-22] JSBoard file disclosure vulnerability


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

STG Security Advisory: [SSA-20050120-22] JSBoard file disclosure
vulnerability.

Revision 1.0
Date Published: 2005-01-20 (KST)
Last Update: 2005-01-20 (KST)
Disclosed by SSR Team (advisory@stgsecurity.com)

Summary
========
JSBoard is one of widely used web BBS applications in Korea. Because of an
input validation flaw, a malicious attacker can read arbitrary files.

Vulnerability Class
===================
Implementation Error: Input validation flaw

Impact
======
Medium : arbitrary file disclosure

Affected Products
================
JSBoard 2.0.9 and prior.

Vendor Status: FIXED
====================
2004-12-31 Vulnerability found.
2004-12-31 JSBoard developer notified.
2005-01-02 Developer confirmed.
2005-01-02 Update version released.
2005-01-20 Official release.

Details
=======
PHP has a feature discarding the input values containing null characters
when magic_quotes_gpc = off. Because JSBoard session.php doesn't sanitize
$table variable, a malicious attacker can read arbitrary files.

- ---
include_once "include/print.php";
parse_query_str();
$opt = $table ? "&table=$table" : "";
$opts = $table ? "?table=$table" : "";
...snip...
- ---

Proof of Concept
================
A local web proxy (e.g., Achilles) is required to prove the vulnerability.

http://[victim]/session.php?logins=true&m=logout&table=../../../../../../etc
/passwd%00

Solution
=========
Upgrade to 2.0.10
http://kldp.net/frs/download.php/1729/jsboard-2.0.10.tar.gz

Vendor URL
==========
http://kldp.net/projects/jsboard/

Credits
======
Jeremy Bae at STG Security

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBQe9EKj9dVHd/hpsuEQJwGgCg3IDCzyCUi9pV6NvzzDEXNb3H8McAoPcb
zi4Q8r51yh5Rchg4tFUfiMQP
=ZTUD
-----END PGP SIGNATURE-----
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC