[转载]JSBoard Arbitrary File Reading

信息来源：www.securiteam.com

Summary
JSBoard is "one of most widely used web BBS applications in Korea".

Due to improper input filtering by JSBoard a remote attacker can include arbitrary local files in the response the server returns, thus disclosing them.

Credit:
The information has been provided by SSR Team.

Details
Vulnerable Systems:
* JSBoard version 2.0.9 and prior

Immune Systems:
* JSBoard version 2.0.10 or newer

PHP has a feature that will discard any input values containing NULL characters whenever the item magic_quotes_gpc has been set to off. Because JSBoard session.php doesn't sanitize the $table variable, a malicious attacker can use it read arbitrary files.

Vulnerable code:
include_once "include/print.php";
parse_query_str();
$opt = $table ? "&table=$table" : "";
$opts = $table ? "?table=$table" : "";
...snip...

Proof of Concept:
http://[victim]/session.php?logins=true&m=logout&table=../../../../../../etc/passwd%00

Solution:
Upgrade to JSBoard version 2.0.10 or newer, available from: http://kldp.net/frs/download.php/1729/jsboard-2.0.10.tar.gz

Disclosure Timeline:
2004-12-31 Vulnerability found.
2004-12-31 JSBoard developer notified.
2005-01-02 Developer confirmed.
2005-01-02 Update version released.
2005-01-20 Official release.