Advisories : Remote vulnerability in ikonboard upto version 2.1.7b

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : Remote vulnerability in ikonboard upto version 2.1.7b

Title:	Remote vulnerability in ikonboard upto version 2.1.7b
Released by:	Gijs Hollestelle
Date:	27th December 2000
Printable version:	Click here

Summary:

--------

Ikonboard is a free forum system. Similair to UBB and UB. Versions up to and

including 2.1.7b contain a vulnerability that allows commands to be executed

as the script user. Therefore compromising security of the system running

the board and allowing an attacker to get passwords of the board users,

because they are in no way encrypted/hashed.



Details:

--------

The problem lies in the following piece of DIRTY perl code, found in

register.cgi (and other files):



@params = $query->param;

foreach $param(@params) {

  $theparam = $query->param($param);

  $theparam = &unHTML("$theparam");

  ${$param} = $theparam;

}



This code allows an attacker to override any scalar variable, therefore also

the settings made in data/boardinfo.cgi. This would have been only a minor

problem if there wouldnt have been a $SEND_MAIL setting. Containing the

location of the sendmail binary to send out emails containing passwords for

new registrations and other things. An attacker can now execute any program

as the script user by putting &SEND_MAIL=/path/program in the URL and making

the program send an email for example by signing up as a new user and

setting the passwordverification option to yes using this same trick.



An exploit for this is vulnerability is trivial and I will not post it here

as it would only be used by script-kiddies.



Solution:

---------

Shortly after i informed the author of this vulnerability a fix was issued

and now this vulnerability is fixed. (Version number seems to be un-changed

though) to see if you have a fixed version checkout register.cgi and see if

it contains the following code instead of the code listed above:



for ('inmembername','password','emailaddress',

  'showemail','homepage','aolname','icqnumber','location','interests',

  'signature','timedifference','useravatar','action') {

    next unless defined $_;

    next if $_ eq 'SEND_MAIL';

    $tp = $query->param($_);

    $tp = &unHTML("$tp");

    ${$_} = $tp;

}



Please note that i am not sure if the new version is safe. There appear to

be more problems, the complete absence of encryption being just one of them.



Conclusion:

-----------

Ikonboard is very nicely looking user friendly forum software but it

has some security issues. Maybe it would be better to wait for the 2.2

release that should fix alot of these issues.



--

Gijs



I say don't drink and drive,

  you might spill your beer.