COMMAND

    Ikonboard

SYSTEMS AFFECTED

    Ikonboard upto version 2.1.7b

PROBLEM

    Gijs  Hollestelle  found  following.   Ikonboard  is  a free forum
    system.  Similair  to UBB and  UB.  Versions  up to and  including
    2.1.7b contain a vulnerability that allows commands to be executed
    as  the  script  user.   Therefore  compromising  security  of the
    system running the board and allowing an attacker to get passwords
    of the board users, because they are in no way encrypted/hashed.

    The problem lies in the following piece of DIRTY perl code,  found
    in register.cgi (and other files):

        @params = $query->param;
        foreach $param(@params) {
          $theparam = $query->param($param);
          $theparam = &unHTML("$theparam");
          ${$param} = $theparam;
        }

    This  code  allows  an  attacker  to override any scalar variable,
    therefore  also  the  settings  made  in data/boardinfo.cgi.  This
    would have been only a minor problem if there wouldnt have been  a
    $SEND_MAIL  setting.   Containing  the  location  of  the sendmail
    binary  to   send  out   emails  containing   passwords  for   new
    registrations and other things.   An attacker can now execute  any
    program as the script user by putting &SEND_MAIL=/path/program  in
    the  URL  and  making  the  program  send  an email for example by
    signing  up  as  a  new  user and setting the passwordverification
    option to yes using this same trick.

    An exploit for  this is vulnerability  is trivial and  we will not
    post it here as it would only be used by script-kiddies.

SOLUTION

    Shortly after the author was informed of this vulnerability a  fix
    was issued  and now  this vulnerability  is fixed  (version number
    seems to be un-changed though).  There appear to be more problems,
    the  complete  absence  of  encryption  being  just  one  of them.
    Ikonboard is very nicely looking user friendly forum software  but
    it has some  security issues.   Maybe it would  be better to  wait
    for the 2.2 release that should fix alot of these issues.