|
|
|
|
| |
| Ikonboard is a widely used web BBS program written in Perl. The program contains a security vulnerability that allows remote attackers to get administrative privileges. In some environments, an attacker may gain a 'nobody' shell. |
| |
Credit:
The information has been provided by Chen Jun.
|
| |
Vulnerable systems:
Ikonboard ib219 and all older versions
File:Search.cgi
---[L.55-56]---
$inmembername = cookie("amembernamecookie");
$filename = $inmembername;
---
As we can see, $inmembername is variable used to store the cookie 'amembernamecookie'
---[L.66-]---
$searchfilename = "$ikondir" . "search/$filename";
---
---[L.124-131]---
open (SEARCH, ">$searchfilename") or die "Cannot save to the search folder";
print SEARCH "$CUR_TIME\n";
print SEARCH "$SEARCH_STRING\n";
print SEARCH "$TYPE_OF_SEARCH\n";
print SEARCH "$REFINE_SEARCH\n";
print SEARCH "$FORUMS_TO_SEARCH\n";
close (SEARCH);
---
---
It sets the filename, runs it through the filter, and opens it.
The variable $filename come from Cookie amembernamecookie that does not filter out "..". An attacker can sent a fake cookie("amembernamecookie"), setup or edit an existing file on the system. This means an attacker can write any content to any file and gain the BBS administrative privileges.
On UNIX like system, if your system is PHP enabled, you can upload a PHP based shell.
Workaround:
Change file Search.cgi; before line 56 $filename = $inmembername;
add below:
$inmembername =~ s/\///g;
$inmembername =~ s/\.\.//g;
|
|
|
|
|
|
|
|
|
|
