STG Security Advisory: [SSA-20050120-22] JSBoard file disclosure vulnerability

advisory_at_stgsecurity.com
Date: 01/20/05

  • Next message: Martin Schulze: "[SECURITY] [DSA 649-1] New xtrlock packages fix authentication bypass" 
    Date: 20 Jan 2005 05:38:45 -0000
To: bugtraq@securityfocus.com
    ('binary' encoding is not supported, stored as-is)

    STG Security Advisory: [SSA-20050120-22] JSBoard file disclosure
    vulnerability.

    Revision 1.0
    Date Published: 2005-01-20 (KST)
    Last Update: 2005-01-20 (KST)
    Disclosed by SSR Team (advisory@stgsecurity.com)

    Summary
    ========
    JSBoard is one of widely used web BBS applications in Korea. Because of an
    input validation flaw, a malicious attacker can read arbitrary files.

    Vulnerability Class
    ===================
    Implementation Error: Input validation flaw

    Impact
    ======
    Medium : arbitrary file disclosure

    Affected Products
    ================
    JSBoard 2.0.9 and prior.

    Vendor Status: FIXED
    ====================
    2004-12-31 Vulnerability found.
    2004-12-31 JSBoard developer notified.
    2005-01-02 Developer confirmed.
    2005-01-02 Update version released.
    2005-01-20 Official release.

    Details
    =======
    PHP has a feature discarding the input values containing null characters
    when magic_quotes_gpc = off. Because JSBoard session.php doesn't sanitize
    $table variable, a malicious attacker can read arbitrary files.

    - ---
    include_once "include/print.php";
    parse_query_str();
    $opt = $table ? "&table=$table" : "";
    $opts = $table ? "?table=$table" : "";
    ...snip...
    - ---

    Proof of Concept
    ================
    A local web proxy (e.g., Achilles) is required to prove the vulnerability.

    http://[victim]/session.php?logins=true&m=logout&table=../../../../../../etc
    /passwd%00

    Solution
    =========
    Upgrade to 2.0.10
    http://kldp.net/frs/download.php/1729/jsboard-2.0.10.tar.gz

    Vendor URL
    ==========
    http://kldp.net/projects/jsboard/

    Credits
    ======
    Jeremy Bae at STG Security

  • Next message: Martin Schulze: "[SECURITY] [DSA 649-1] New xtrlock packages fix authentication bypass"

    Relevant Pages
    Loading