[18373] in bugtraq
Re: Remote vulnerability in Ikonboard upto version 2.1.7b
daemon@ATHENA.MIT.EDU (___cliff rayman___)
Fri Dec 29 13:25:29 2000
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <3A4BC97C.AB8A4465@spamless.genwax.com>
Date: Thu, 28 Dec 2000 15:15:08 -0800
Reply-To: ___cliff rayman___ <cliff@GENWAX.COM>
From: ___cliff rayman___ <cliff@GENWAX.COM>
X-To: Gijs Hollestelle <gijs@GEWIS.WIN.TUE.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
Gijs Hollestelle wrote:
> Summary:
> --------
> Ikonboard is a free forum system. Similair to UBB and UB. Versions up to and
> including 2.1.7b contain a vulnerability that allows commands to be executed
> as the script user. Therefore compromising security of the system running
> the board and allowing an attacker to get passwords of the board users,
> because they are in no way encrypted/hashed.
> ---8<----
>
> Solution:
> ---------
> Shortly after i informed the author of this vulnerability a fix was issued
> and now this vulnerability is fixed. (Version number seems to be un-changed
> though) to see if you have a fixed version checkout register.cgi and see if
> it contains the following code instead of the code listed above:
>
> for ('inmembername','password','emailaddress',
> 'showemail','homepage','aolname','icqnumber','location','interests',
> 'signature','timedifference','useravatar','action') {
> next unless defined $_;
hmmm.... when would $_ be undefined???
i think he meant to write:
next unless defined $query->param($_);
>
> next if $_ eq 'SEND_MAIL';
how could $_ equal 'SEND_MAIL' if it is not in the list passed to for??
>
> $tp = $query->param($_);
> $tp = &unHTML("$tp");
> ${$_} = $tp;
> }
>
>
--
___cliff rayman___cliff@genwax.com___http://www.genwax.com/
