Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Ikonboard Cookie filter vulnerability

From: Chen Jun <chenjun () netguard com cn>
Date: Tue, 30 Oct 2001 14:56:55 +0800
---------------------------------------------------------------------------
Ikonboard Cookie filter vulnerability
---------------------------------------------------------------------------

Release infomation
------------------

Found   Date: 2001-9-03 
Release Date: 2001-10-30
Author: chenjun () netguard com cn
Homepage: http://www.netguard.com.cn


Description
-----------

   Ikonboard is a widely used web bbs program written by perl. The program contained a vulnerability, Remote attacker 
can exploit it and get a bbs administrator's privilege. In some environment, attacker may gain a nobody shell or gain 
the machine's privilege. 
   

Version and Platform
--------------------

Affected  Version: Ikonboard ib219 and all older version
Affected Platform: Windows,Linux, Solaris sparc, Solaris x86, AIX, HP, Digital, IRIX, SCO etc.


Details
-------

File:Search.cgi
---[L.55-56]---
$inmembername     = cookie("amembernamecookie");
$filename = $inmembername;
---
As we can see, $inmembername is the get for cookie 'amembernamecookie'
---[L.66-]---
$searchfilename = "$ikondir" . "search/$filename";
---


---[L.124-131]---
    open (SEARCH, ">$searchfilename") or die "Cannot save to the search folder";
    print SEARCH "$CUR_TIME\n";
    print SEARCH "$SEARCH_STRING\n";
    print SEARCH "$TYPE_OF_SEARCH\n";
    print SEARCH "$REFINE_SEARCH\n";
    print SEARCH "$FORUMS_TO_SEARCH\n";
    close (SEARCH);
---

---
Well, it sets the file, runs it through the filter and opens it.
-> $cookie("amembernamecookie");, remember?! ;)

Here the variable $filename come from Cookie amembernamecookie not filter "..", attacker can sent a fake 
cookie("amembernamecookie"), set up or edit the file on the system, because the write file variable not filter, so the 
attacker can write any content to the file, and gain the bbs administrator's privilege.

On UNIX like system, if you system is php enable, you can use the upload function, upload a php script to run command.

On Windows system, because it's weakness of runing perl script, attacker can use this vulnerability set up a perl 
script to run command.

Prove-Of-Concept exploit
------------------------

wait for vendor fix it first ;)

Workaround
----------

1.about the Cookie
at file Search.cgi before line 56 $filename = $inmembername;
add below:
$inmembername =~ s/\///g;
$inmembername =~ s/\.\.//g;

2.filter all write file variable 

Vendor information
------------------

Vendor was informed at 2001-10-29
Vendor Homepage: http://www.leoboard.com


About Netguard
--------------

China Net Security Technology Corporation (CNTC) is a leading provider of computer network and information security 
services in China.

Copyright 2001 http://www.netguard.com.cn, All rights reserved.
Previous By Date Next
Previous By Thread Next

Current thread: