Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: etc :: web4838.htm

Ikonboard BBS Admin priv exploit



2nd Nov 2001 [SBWID-4838]
COMMAND

	Ikonboard

SYSTEMS AFFECTED

	 Affected  Version: Ikonboard ib219 and all older version

	 Affected Platform: Windows,Linux, Solaris sparc, Solaris x86, AIX, HP, Digital, IRIX, SCO etc.

	

PROBLEM

	Chen Jun (http://www.netguard.com.cn) found following, on Ikonboard.  It
	is a widely used web bbs program written by perl. The program  contained
	a  vulnerability,  Remote  attacker  can  exploit  it  and  get  a   bbs
	administrator\'s privilege. In some environment,  attacker  may  gain  a
	nobody shell or gain the machine\'s privilege.
	

	

	File:Search.cgi

	---[L.55-56]---

	$inmembername     = cookie(\"amembernamecookie\");

	$filename = $inmembername;

	---

	

	

	As   we   can   see,   $inmembername   is    the    get    for    cookie
	\'amembernamecookie\'
	

	---[L.66-]---

	$searchfilename = \"$ikondir\" . \"search/$filename\";

	---

	

	

	

	---[L.124-131]---

	    open (SEARCH, \">$searchfilename\") or die \"Cannot save to the search folder\";

	    print SEARCH \"$CUR_TIME\\n\";

	    print SEARCH \"$SEARCH_STRING\\n\";

	    print SEARCH \"$TYPE_OF_SEARCH\\n\";

	    print SEARCH \"$REFINE_SEARCH\\n\";

	    print SEARCH \"$FORUMS_TO_SEARCH\\n\";

	    close (SEARCH);

	---

	

	

	--- Well, it sets the file, runs it through the filter and opens it.
	

	-> $cookie(\"amembernamecookie\");, remember?! ;)

	

	Here the variable  $filename  come  from  Cookie  amembernamecookie  not
	filter \"..\", attacker can sent a  fake  cookie(\"amembernamecookie\"),
	set up or edit the file on the system, because the write  file  variable
	not filter, so the attacker can write any content to the file, and  gain
	the bbs administrator\'s privilege.
	

	On UNIX like system, if you system  is  php  enable,  you  can  use  the
	upload function, upload a php script to run command.
	

	On Windows  system,  because  it\'s  weakness  of  runing  perl  script,
	attacker can use  this  vulnerability  set  up  a  perl  script  to  run
	command.
	

	

SOLUTION

	 Workaround

	 ----------

	

	 1.about the Cookie

	 at file Search.cgi before line 56 $filename = $inmembername;

	 add below:

	

	$inmembername =~ s/\\///g;

	$inmembername =~ s/\\.\\.//g;

	

	

	 2.filter all write file variable 

	

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH