COMMAND
Ikonboard
SYSTEMS AFFECTED
Ikonboard upto version 2.1.7b
PROBLEM
Gijs Hollestelle found following. Ikonboard is a free forum
system. Similair to UBB and UB. Versions up to and including
2.1.7b contain a vulnerability that allows commands to be executed
as the script user. Therefore compromising security of the
system running the board and allowing an attacker to get passwords
of the board users, because they are in no way encrypted/hashed.
The problem lies in the following piece of DIRTY perl code, found
in register.cgi (and other files):
@params = $query->param;
foreach $param(@params) {
$theparam = $query->param($param);
$theparam = &unHTML("$theparam");
${$param} = $theparam;
}
This code allows an attacker to override any scalar variable,
therefore also the settings made in data/boardinfo.cgi. This
would have been only a minor problem if there wouldnt have been a
$SEND_MAIL setting. Containing the location of the sendmail
binary to send out emails containing passwords for new
registrations and other things. An attacker can now execute any
program as the script user by putting &SEND_MAIL=/path/program in
the URL and making the program send an email for example by
signing up as a new user and setting the passwordverification
option to yes using this same trick.
An exploit for this is vulnerability is trivial and we will not
post it here as it would only be used by script-kiddies.
SOLUTION
Shortly after the author was informed of this vulnerability a fix
was issued and now this vulnerability is fixed (version number
seems to be un-changed though). There appear to be more problems,
the complete absence of encryption being just one of them.
Ikonboard is very nicely looking user friendly forum software but
it has some security issues. Maybe it would be better to wait
for the 2.2 release that should fix alot of these issues.