COMMAND
Ikonboard
SYSTEMS AFFECTED
Ikonboard v2.1.7b
PROBLEM
Martin J. Muench found folllowing. This is another bug in the
Ikonboard. Anyone can read any file on the remote system with the
privileges of the web server.
File help.cgi (line 44):
$inhelpon = $query -> param('helpon');
As we can see, $inhelpon is the input for 'helpon' (lines 95-97):
$filetoopen = "$ikondir" . "help/$inhelpon.dat";
$filetoopen = &stripMETA($filetoopen);
open (FILE, "$filetoopen") or die "Cannot locate the required files";
Well, it sets the file, runs it through the filter and opens it.
We are not going to post the whole filter it uses because they
really have been able to write a filter that is 24 lines long.
And they finally forgot to filter the backslash, so we can easily
just attach the 'poison null-byte' to '$inhelpon' and we escape
the '.dat'. And of course the scripts doesn't check for "..", so
we can specifiy every path we want.
Example:
http://www.gmc-online.de/cgi-bin/ikonboard/help.cgi?helpon=../../../../../etc/passwd%00
would show the password file, if it is readable with the
privileges of the web server.
http://www.gmc-online.de/cgi-bin/ikonboard/help.cgi?helpon=../members/<member>.cgi%00
replace <member> with the member name and it shows you his/her
board-password (works with Administrator accounts too).
Version 2.16b is vulnerable to this attack as well.
SOLUTION
Not yet available. You could fix the script temporary by
inserting the following line under line 45 in 'help.cgi':
$inhelpon =~ s/\///g;
This is lame, but it works. Another fix for this was is simply to
insert as line 45:
if($inhelpon =~ /\.\./) { &hackdetected; }
then at the bottome append:
sub hackdetected {
print "Content-type: text/plain\n\n";
print "sorry, this hole was patched :)\n";
print "you have been logged.\n";
exit;
}
Ok course you could change this to whatever..