STG Security Advisory: [SSA-20050120-22] JSBoard file disclosure vulnerability

2005-01-22T00:00:00
ID SECURITYVULNS:DOC:7644
Type securityvulns
Reporter Securityvulns
Modified 2005-01-22T00:00:00

Description

STG Security Advisory: [SSA-20050120-22] JSBoard file disclosure vulnerability.

Revision 1.0 Date Published: 2005-01-20 (KST) Last Update: 2005-01-20 (KST) Disclosed by SSR Team (advisory@stgsecurity.com)

Summary

JSBoard is one of widely used web BBS applications in Korea. Because of an input validation flaw, a malicious attacker can read arbitrary files.

Vulnerability Class

Implementation Error: Input validation flaw

Impact

Medium : arbitrary file disclosure

Affected Products

JSBoard 2.0.9 and prior.

Vendor Status: FIXED

2004-12-31 Vulnerability found. 2004-12-31 JSBoard developer notified. 2005-01-02 Developer confirmed. 2005-01-02 Update version released. 2005-01-20 Official release.

Details

PHP has a feature discarding the input values containing null characters when magic_quotes_gpc = off. Because JSBoard session.php doesn't sanitize $table variable, a malicious attacker can read arbitrary files.


include_once "include/print.php"; parse_query_str(); $opt = $table ? "&table=$table" : ""; $opts = $table ? "?table=$table" : ""; ...snip...


Proof of Concept

A local web proxy (e.g., Achilles) is required to prove the vulnerability.

http://[victim]/session.php?logins=true&m=logout&table=../../../../../../etc /passwd%00

Solution

Upgrade to 2.0.10 http://kldp.net/frs/download.php/1729/jsboard-2.0.10.tar.gz

Vendor URL

http://kldp.net/projects/jsboard/

Credits

Jeremy Bae at STG Security