EkinBoard <= 1.1.0 Remote File Upload / Auth Bypass Vulnerabilities

2009-09-02 / 2009-09-03

Credit: underwater

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2008-7156 | CVE-2008-7157

CWE: CWE-287
CWE-264

----[ EkinBoard Remote File Upload / Auth Bypass ... ITDefence.ru Antichat.ru ]
EkinBoard >= 1.1.0 Remote File Upload / Auth Bypass
Eugene Minaev underwater@itdefence.ru
.\ \\ -[ ITDEFENCE.ru Security advisory ]- // // / .
We can bypass admin authorization if register_globals on . All admin panel script include this code
<?php
if(!in_array(2, $_groups)){
die("<center><span class=red>You need to be an admin to access this page!</span></center>");
}
?>
test1.ru/skvoznoy/backup.php?_groups[]=2
There is a bug in upload function . We can upload any file bypass filters . Name your shell like
file.php.gif and select it as your avatar . Then check uploaded/avatars/filename_your_id.php
----[ FROM RUSSIA WITH LOVE :: underWHAT?! , gemaglabin ]

Referencje:

http://xforce.iss.net/xforce/xfdb/39507

http://www.securityfocus.com/bid/27166

http://www.milw0rm.com/exploits/4859

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

EkinBoard <= 1.1.0 Remote File Upload / Auth Bypass Vulnerabilities

Referencje:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.