Easy Message Board Directory Traversal and Remote Command

To: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, news@xxxxxxxxxxxxxx, sec@xxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx, submissions@xxxxxxxxxxxxxxxxxxxxxxx, vuln@xxxxxxxxxxx, alerts_advisories@xxxxxxxxxxxxxxxx
Subject: Easy Message Board Directory Traversal and Remote Command
From: SoulBlack Group <soulblacktm@xxxxxxxxx>
Date: Sun, 8 May 2005 18:59:14 -0300
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=FvMldws3Bza2LjwJAc32LU4gLdQDcjn2JYFzcv0lgjMZuJ4n/3RzQwX8xiIlBsygCO/hR7F3THK4tqwwBO6f9uW9oEQSCDQeLxTo3zDhCPd5wUyfAnc0abZzxJ3FIjHILA2kYU6ZmyrK+6DBXzj/8/EPV0vZPchLhiI17sI8JJ4=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: SoulBlack Group <soulblacktm@xxxxxxxxx>

============================================================

============================================================
Title: Easy Message Board Directory Traversal and Remote Command Execution
Vulnerability discovery: SoulBlack - Security Research -
http://soulblack.com.ar
Date: 08/05/2005
Severity: High. Remote Users Can Execute Arbitrary Code.
Affected version: Easy Message Board
Vendor: http://www.geocentral.net/colscripts/index.html
============================================================

============================================================

* Summary *

Easy Message Board is "Easy Message Board"

------------------------------------------------------------------------------------------------------------------------

* Technical Description *


A new vulnerability was identified in Easy Message Board, which may be
exploited by attackers to compromise a vulnerable web server. This
flaw is due to an input validation error in the "easymsgb.pl" script
where the variable print that is put under "open()", does not have a
control of data, which may be exploited by a remote attacker to
execute arbitrary commands with the privileges of the web server.

------------------------------------------------------------------------------------------------------------------------

* Example *

http://SITE/cgi-bin/emsgb/easymsgb.pl?print=../../../../../../../../etc/passwd
http://SITE/cgi-bin/emsgb/easymsgb.pl?print=|id|

------------------------------------------------------------------------------------------------------------------------

* Fix *

Contact the Vendor.

------------------------------------------------------------------------------------------------------------------------

* References *

http://www.soulblack.com.ar/repo/papers/easymsgb_advisory.txt 

------------------------------------------------------------------------------------------------------------------------

* Credits *

Vulnerability reported by SoulBlack Security Research

============================================================
--
SoulBlack - Security Research
http://www.soulblack.com.ar

Prev by Date: Firefox Remote Compromise Technical Details
Next by Date: Viruses can evade Sophos Anti-Virus
Previous by thread: Firefox Remote Compromise Technical Details
Next by thread: Viruses can evade Sophos Anti-Virus
Index(es):
- Date
- Thread