OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Remote vulnerability in Ikonboard upto version 2.1.7b
From: ___cliff rayman___ (cliffGENWAX.COM)
Date: Thu Dec 28 2000 - 17:15:08 CST

Gijs Hollestelle wrote:

> Summary:
> --------
> Ikonboard is a free forum system. Similair to UBB and UB. Versions up to and
> including 2.1.7b contain a vulnerability that allows commands to be executed
> as the script user. Therefore compromising security of the system running
> the board and allowing an attacker to get passwords of the board users,
> because they are in no way encrypted/hashed.
> ---8<----
>
> Solution:
> ---------
> Shortly after i informed the author of this vulnerability a fix was issued
> and now this vulnerability is fixed. (Version number seems to be un-changed
> though) to see if you have a fixed version checkout register.cgi and see if
> it contains the following code instead of the code listed above:
>
> for ('inmembername','password','emailaddress',
> 'showemail','homepage','aolname','icqnumber','location','interests',
> 'signature','timedifference','useravatar','action') {
> next unless defined $_;

hmmm.... when would $_ be undefined???
i think he meant to write:
next unless defined $query->param($_);

>
> next if $_ eq 'SEND_MAIL';

how could $_ equal 'SEND_MAIL' if it is not in the list passed to for??

>
> $tp = $query->param($_);
> $tp = &unHTML("$tp");
> ${$_} = $tp;
> }
>
> 

--
___cliff rayman___cliffgenwax.com___http://www.genwax.com/