Ikonboard Remote File Disclosure Vulnerability
BID:2471
Info
Ikonboard Remote File Disclosure Vulnerability
| Bugtraq ID: | 2471 |
| Class: | Input Validation Error |
| CVE: |
CVE-2001-0360 |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 11 2001 12:00AM |
| Updated: | Jul 11 2009 04:46AM |
| Credit: | Reported to bugtraq by "Martin J. Muench" <[email protected]> on March 11, 2001. |
| Vulnerable: |
Ikonboard.com ikonboard 2.1.7 b |
| Not Vulnerable: | |
Discussion
Ikonboard Remote File Disclosure Vulnerability
Ikonboard is a perl-based discussion forum script from ikonboard.com.
Versions of Ikonboard are vulnerable to remote disclosure of arbitrary files.
By adding a null byte to the name of a requested file, the attacker can defeat the script's inbuilt feature of appending the suffix '.dat' to requested filenames, a precaution intended to limit the range of files readable using this script.
Exploited in conjunction with '../' sequences inserted into the path of the requested file, this vulnerability allows a remote attacker to submit requests for arbitrary files which are readable by the webserver user.
This could include sensitive system information, including account information and passwords for Ikonboard users and administrators.
Ikonboard is a perl-based discussion forum script from ikonboard.com.
Versions of Ikonboard are vulnerable to remote disclosure of arbitrary files.
By adding a null byte to the name of a requested file, the attacker can defeat the script's inbuilt feature of appending the suffix '.dat' to requested filenames, a precaution intended to limit the range of files readable using this script.
Exploited in conjunction with '../' sequences inserted into the path of the requested file, this vulnerability allows a remote attacker to submit requests for arbitrary files which are readable by the webserver user.
This could include sensitive system information, including account information and passwords for Ikonboard users and administrators.
Exploit / POC
Ikonboard Remote File Disclosure Vulnerability
Example:
http://www.example.com/cgi-bin/ikonboard/help.cgi?helpon=../../../../../etc/passwd%00
will disclose /etc/passwd, if readable by the webserver.
http://www.example.com/cgi-bin/ikonboard/help.cgi?helpon=../members/[member].cgi%00
discloses the ikonboard account password for [member], including admin acounts.
Example:
http://www.example.com/cgi-bin/ikonboard/help.cgi?helpon=../../../../../etc/passwd%00
will disclose /etc/passwd, if readable by the webserver.
http://www.example.com/cgi-bin/ikonboard/help.cgi?helpon=../members/[member].cgi%00
discloses the ikonboard account password for [member], including admin acounts.
Solution / Fix
Ikonboard Remote File Disclosure Vulnerability
Solution:
From "Martin J. Muench" <[email protected]>:
You could fix the script temporary by inserting the following line under line 45 in 'help.cgi':
$inhelpon =~ s/\///g;
From [email protected]:
My fix for this was to simply insert as line 45:
if($inhelpon =~ /\.\./) { &hackdetected; }
then at the bottome append:
sub hackdetected {
print "Content-type: text/plain\n\n";
print "sorry, this hole was patched :)\n";
print "you have been logged.\n";
exit;
}
Solution:
From "Martin J. Muench" <[email protected]>:
You could fix the script temporary by inserting the following line under line 45 in 'help.cgi':
$inhelpon =~ s/\///g;
From [email protected]:
My fix for this was to simply insert as line 45:
if($inhelpon =~ /\.\./) { &hackdetected; }
then at the bottome append:
sub hackdetected {
print "Content-type: text/plain\n\n";
print "sorry, this hole was patched :)\n";
print "you have been logged.\n";
exit;
}
References
Ikonboard Remote File Disclosure Vulnerability
References:
References: