|
Vulnerability Ikonboard Affected Ikonboard v2.1.7b Description Martin J. Muench found folllowing. This is another bug in the Ikonboard. Anyone can read any file on the remote system with the privileges of the web server. File help.cgi (line 44): $inhelpon = $query -> param('helpon'); As we can see, $inhelpon is the input for 'helpon' (lines 95-97): $filetoopen = "$ikondir" . "help/$inhelpon.dat"; $filetoopen = &stripMETA($filetoopen); open (FILE, "$filetoopen") or die "Cannot locate the required files"; Well, it sets the file, runs it through the filter and opens it. We are not going to post the whole filter it uses because they really have been able to write a filter that is 24 lines long. And they finally forgot to filter the backslash, so we can easily just attach the 'poison null-byte' to '$inhelpon' and we escape the '.dat'. And of course the scripts doesn't check for "..", so we can specifiy every path we want. Example: http://www.gmc-online.de/cgi-bin/ikonboard/help.cgi?helpon=../../../../../etc/passwd%00 would show the password file, if it is readable with the privileges of the web server. http://www.gmc-online.de/cgi-bin/ikonboard/help.cgi?helpon=../members/<member>.cgi%00 replace <member> with the member name and it shows you his/her board-password (works with Administrator accounts too). Version 2.16b is vulnerable to this attack as well. Solution Not yet available. You could fix the script temporary by inserting the following line under line 45 in 'help.cgi': $inhelpon =~ s/\///g; This is lame, but it works. Another fix for this was is simply to insert as line 45: if($inhelpon =~ /\.\./) { &hackdetected; } then at the bottome append: sub hackdetected { print "Content-type: text/plain\n\n"; print "sorry, this hole was patched :)\n"; print "you have been logged.\n"; exit; } Ok course you could change this to whatever..