TUCoPS :: Web BBS :: etc

TUCoPS :: Web BBS :: etc :: b06-4165.htm
XennoBB <= "avatar gallery" Directory Transversal
XennoBB <= "avatar gallery" Directory Transversal XennoBB <= "avatar gallery" Directory Transversal

--------------------- SUMMARY ---------------------=0D
=0D
=0D
=0D
Name:=0D
=0D
	XennoBB "avatar gallery" directory transversal (10/8/2006)=0D
=0D
=0D
=0D
Vendor / Product:=0D
=0D
	XennoBB Group=0D
=0D
http://www.xennobb.com/=0D 
=0D
	=0D
=0D
	Description:=0D
=0D
	The world's most revolutionary and easy to use bulletin board.=0D
=0D
=0D
=0D
	Revolutionary because it redefines the boundaries of usability=0D
=0D
	and power; from the first version it's a real alternative to=0D
=0D
	the commercial forums out there.=0D
=0D
=0D
=0D
	How can XennoBB be described in few words? =0D
=0D
	Lightning-speed, stable, SECURED(?) and modern.=0D
=0D
	=0D
=0D
Version(s) Affected:=0D
=0D
	<= 2.1.0=0D
=0D
	=0D
=0D
Severity:=0D
=0D
	Medium=0D
=0D
	=0D
=0D
Impact:=0D
=0D
	Directory transversal (Remote)=0D
=0D
=0D
=0D
Status:=0D
=0D
	Unpatched=0D
=0D
	=0D
=0D
Discovered by:=0D
=0D
Chris Boulton =0D 
=0D
	=0D
=0D
Original advisory:=0D
=0D
http://www.surfionline.com/security_advisories/20060810_xennobb_avatar_gallery_transversal.txt=0D 
=0D
	=0D
=0D
------------------- DESCRIPTION -------------------=0D
=0D
=0D
=0D
An exploit exists in the above mentioned versions of XennoBB which=0D
=0D
can be exploited by malicious users to transverse various directories=0D
=0D
on the server.=0D
=0D
=0D
=0D
Input passed to the "gallery" parameter in profile.php is not properly=0D
=0D
sanitized before being used to open the corresponding directory on the=0D
=0D
file system. This exploit can lead to manipulation of content in higher=0D
=0D
up directories than the script intends.=0D
=0D
=0D
=0D
--------------------- EXPLOIT ---------------------=0D
=0D
=0D
=0D
Submit a forged POST request to=0D
=0D
=0D
=0D
profile.php?action=avatar_gallery&id={your registered user ID here}=0D
=0D
=0D
=0D
With the following as the POST data:=0D
=0D
=0D
=0D
category=../../general/=0D
=0D
=0D
=0D
Successful exploitation leads to images in the /img/general folder=0D
=0D
being shown to the user. A similar process can be used to obtain other=0D
=0D
confidential system documents or images which may exist on the server.=0D
=0D
=0D
=0D
--------------------- SOLUTION --------------------=0D
=0D
=0D
=0D
Ensure input is correctly sanitized and invalid/not acceptable=0D
=0D
characters are removed from the gallery POST variable before the=0D
=0D
directory is opened on the server.