JSBoard Local File Include File Disclosure Vulnerability

Bugtraq ID:	12319
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Jan 20 2005 12:00AM
Updated:	Jan 20 2005 12:00AM
Credit:	Discovery of this vulnerability is credited to Jeremy Bae.
Vulnerable:	JSBoard JSBoard 2.0.9 JSBoard JSBoard 2.0.8 JSBoard JSBoard 2.0.7
Not Vulnerable:	JSBoard JSBoard 2.0.10

JSBoard Local File Include File Disclosure Vulnerability

JSBoard is reported prone to an issue that may allow a remote attacker to view the contents of arbitrary Web server readable files on the local drive.

A successful attack allows an attacker to include and view any Web server readable file on the affected computer.

JSBoard version 2.0.9 and prior when running with PHP 'magic_quotes_gpc' disabled are reported prone to this vulnerability.

JSBoard Local File Include File Disclosure Vulnerability

No exploit is required.

JSBoard Local File Include File Disclosure Vulnerability

Solution:
The vendor has released a fix to address this issue:


JSBoard JSBoard 2.0.7

• JSBoard 2.0.9-2.0.10.patch.gz
  http://kldp.net/frs/?group_id=148&release_id=1050

JSBoard JSBoard 2.0.8

• JSBoard 2.0.9-2.0.10.patch.gz
  http://kldp.net/frs/?group_id=148&release_id=1050

JSBoard JSBoard 2.0.9

• JSBoard 2.0.9-2.0.10.patch.gz
  http://kldp.net/frs/?group_id=148&release_id=1050

JSBoard Local File Include File Disclosure Vulnerability

References:

• JSBoard Product Page (JSBoard)
  
• STG Security Advisory: [SSA-20050120-22] JSBoard file disclosure vulnerability ()