|
Vulnerability Ikonboard Affected Ikonboard upto version 2.1.7b Description Gijs Hollestelle found following. Ikonboard is a free forum system. Similair to UBB and UB. Versions up to and including 2.1.7b contain a vulnerability that allows commands to be executed as the script user. Therefore compromising security of the system running the board and allowing an attacker to get passwords of the board users, because they are in no way encrypted/hashed. The problem lies in the following piece of DIRTY perl code, found in register.cgi (and other files): @params = $query->param; foreach $param(@params) { $theparam = $query->param($param); $theparam = &unHTML("$theparam"); ${$param} = $theparam; } This code allows an attacker to override any scalar variable, therefore also the settings made in data/boardinfo.cgi. This would have been only a minor problem if there wouldnt have been a $SEND_MAIL setting. Containing the location of the sendmail binary to send out emails containing passwords for new registrations and other things. An attacker can now execute any program as the script user by putting &SEND_MAIL=/path/program in the URL and making the program send an email for example by signing up as a new user and setting the passwordverification option to yes using this same trick. An exploit for this is vulnerability is trivial and we will not post it here as it would only be used by script-kiddies. Solution Shortly after the author was informed of this vulnerability a fix was issued and now this vulnerability is fixed (version number seems to be un-changed though). There appear to be more problems, the complete absence of encryption being just one of them. Ikonboard is very nicely looking user friendly forum software but it has some security issues. Maybe it would be better to wait for the 2.2 release that should fix alot of these issues.