TBE - the banner engine server-side script execution vulnerability

["Ed J. Aivazian" <stealth () arminco com>]

WHAT
==============================
TBE - the banner engine is a banner exchange system widely used in
Russia and countries of the former USSR.
TBE has all the basic features required for a beginner banner exchange
network and together with its low cost TBE got pretty popular.

Company: Native Solutions
Author: Ivan Stanislavsky
URL - http://www.native.ru


STATUS
==============================
Author notified, no reply yet


WHERE
==============================
html banner view/preview


HOW
==============================
TBE's html banner create feature does not make any checking and passes
the users input directly into a file, named
/bn/tbe-$user_id-$banner_id.html
With some configurations (especially web-hosting companies) where
.html files are interpreted by the web-server as
application/x-httpd-XXX, the code, written into the html banner by an
attacker will be executed every time the banner is previewed or viewd.


VESRIONS AFFECTED
==============================
Tested on TBE5, possibly all other versions that have html banner
implementation


EXAMPLE
==============================
I was a bit lazy this morning, so put something like this:
http://vision.am/~stealth/tbe1.jpg

And got this:
http://vision.am/~stealth/tbe2.jpg
The code is displayed in an iframe, so there is no difficulty to scroll
the window


RISK
==============================
web server privileges (danger varies depending on configuration)



-- 
Cheers,
ed