BID:13272

AZ Bulletin Board Remote File Include Vulnerability

Info

AZ Bulletin Board Remote File Include Vulnerability

Bugtraq ID:	13272
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Apr 20 2005 12:00AM
Updated:	Apr 20 2005 12:00AM
Credit:	James Bercegay is credited with the discovery of this issue.
Vulnerable:	AZ Bulletin Board AZbb 1.0.7 c AZ Bulletin Board AZbb 1.0.7 b AZ Bulletin Board AZbb 1.0.7 a

Not Vulnerable:	AZ Bulletin Board AZbb 1.0.8

Discussion

AZ Bulletin Board Remote File Include Vulnerability

A remote file include vulnerability affects AZ Bulletin Board. This issue is due to a failure of the application to validate ciritcal parameters before using them in a 'include()' function call.

An attacker may leverage this issue to execute arbitrary server-side script code on an affected computer with the privileges of the Web server process. This may facilitate unauthorized access.

Exploit / POC

AZ Bulletin Board Remote File Include Vulnerability

No exploit is required to leverage this issue.

Solution / Fix

AZ Bulletin Board Remote File Include Vulnerability

Solution:
The vendor has released an upgrade dealing with this issue.

AZ Bulletin Board AZbb 1.0.7 a

AZ Bulletin Board AZBB 1.0.08
http://azbb.cyaccess.com/azbb.php?1091872271

AZ Bulletin Board AZbb 1.0.7 b

AZ Bulletin Board AZBB 1.0.08
http://azbb.cyaccess.com/azbb.php?1091872271

AZ Bulletin Board AZbb 1.0.7 c

AZ Bulletin Board AZBB 1.0.08
http://azbb.cyaccess.com/azbb.php?1091872271

References

AZ Bulletin Board Remote File Include Vulnerability

References:

AZbb Change Log (AZ Bulletin Board)
AZbb Home Page (AZ Bulletin Board)
Multiple Security Issues Found In AZBB ("GulfTech Security Research" )