[转载]GNUBoard Multiple Extensions Vulnerability
信息来源:[url]www.securiteam.com[/url]Summary
GNUBoard is "one of the most widely used web BBS applications in Korea". An input validation flaw in GNUBoard allows a malicious attackers to run arbitrary commands with the privileges of the HTTPD process, which is typically run as the nobody user.
Credit:
The information has been provided by SSR Team.
Details
Vulnerable Systems:
* GNUBoard version 3.40 and prior
GNUBoard's implementation of the file extensions is case-sensitive, this allows an attacker to bypass the protection mechanism by using mixed-case extensions, for example [attack].PHP.rar, [attack].pHp.rar, etc.
Vulnerable code in gbupdate.php (107 line):
//
$source = array ("/\.php/", "/\.htm/", "/\.cgi/", "/\.pl/");
$target = array (".phpx", ".htmx", ".cgix", ".plx");
Vulnerable code in gbupdate.php (142 line):
// php_x abc.php._x
$filename = preg_replace($source, $target, $filename);
//
$upload[$i] = $prefix . $filename;
$dest_file = "./data/file/$bo_table/$upload[$i]";
Workaround:
Modify 108th line of gbupdate.php with the following:
$source = array ("/\.php/i", "/\.htm/i", "/\.cgi/i", "/\.pl/i");
Disclosure Timeline:
2004-12-09 Vulnerability found
2004-12-09 Vendor contacted and confirmed
2005-01-03 Official release
页:
[1]