OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Remote vulnerability in Ikonboard upto version 2.1.7b
From: Gijs Hollestelle (gijsGEWIS.WIN.TUE.NL)
Date: Thu Dec 28 2000 - 04:59:02 CST


Summary:
--------
Ikonboard is a free forum system. Similair to UBB and UB. Versions up to and
including 2.1.7b contain a vulnerability that allows commands to be executed
as the script user. Therefore compromising security of the system running
the board and allowing an attacker to get passwords of the board users,
because they are in no way encrypted/hashed.

Details:
--------
The problem lies in the following piece of DIRTY perl code, found in
register.cgi (and other files):

params = $query->param;
foreach $param(params) {
  $theparam = $query->param($param);
  $theparam = &unHTML("$theparam");
  ${$param} = $theparam;
}

This code allows an attacker to override any scalar variable, therefore also
the settings made in data/boardinfo.cgi. This would have been only a minor
problem if there wouldnt have been a $SEND_MAIL setting. Containing the
location of the sendmail binary to send out emails containing passwords for
new registrations and other things. An attacker can now execute any program
as the script user by putting &SEND_MAIL=/path/program in the URL and making
the program send an email for example by signing up as a new user and
setting the passwordverification option to yes using this same trick.

An exploit for this is vulnerability is trivial and I will not post it here
as it would only be used by script-kiddies.

Solution:
---------
Shortly after i informed the author of this vulnerability a fix was issued
and now this vulnerability is fixed. (Version number seems to be un-changed
though) to see if you have a fixed version checkout register.cgi and see if
it contains the following code instead of the code listed above:

for ('inmembername','password','emailaddress',
  'showemail','homepage','aolname','icqnumber','location','interests',
  'signature','timedifference','useravatar','action') {
    next unless defined $_;
    next if $_ eq 'SEND_MAIL';
    $tp = $query->param($_);
    $tp = &unHTML("$tp");
    ${$_} = $tp;
}

Please note that i am not sure if the new version is safe. There appear to
be more problems, the complete absence of encryption being just one of them.

Conclusion:
-----------
Ikonboard is very nicely looking user friendly forum software but it
has some security issues. Maybe it would be better to wait for the 2.2
release that should fix alot of these issues.

--
Gijs

I say don't drink and drive, you might spill your beer.