[转载]JSBoard Arbitrary File Reading
信息来源:[url]www.securiteam.com[/url]Summary
JSBoard is "one of most widely used web BBS applications in Korea".
Due to improper input filtering by JSBoard a remote attacker can include arbitrary local files in the response the server returns, thus disclosing them.
Credit:
The information has been provided by SSR Team.
Details
Vulnerable Systems:
* JSBoard version 2.0.9 and prior
Immune Systems:
* JSBoard version 2.0.10 or newer
PHP has a feature that will discard any input values containing NULL characters whenever the item magic_quotes_gpc has been set to off. Because JSBoard session.php doesn't sanitize the $table variable, a malicious attacker can use it read arbitrary files.
Vulnerable code:
include_once "include/print.php";
parse_query_str();
$opt = $table ? "&table=$table" : "";
$opts = $table ? "?table=$table" : "";
...snip...
Proof of Concept:
http://[victim]/session.php?logins=true&m=logout&table=../../../../../../etc/passwd%00
Solution:
Upgrade to JSBoard version 2.0.10 or newer, available from: [url]http://kldp.net/frs/download.php/1729/jsboard-2.0.10.tar.gz[/url]
Disclosure Timeline:
2004-12-31 Vulnerability found.
2004-12-31 JSBoard developer notified.
2005-01-02 Developer confirmed.
2005-01-02 Update version released.
2005-01-20 Official release.
页:
[1]