CVE-2001-0360
CVSS5.0
发布时间 :2001-06-27 00:00:00
修订时间 :2009-04-03 00:08:05
NMCOES    

[原文]Directory traversal vulnerability in help.cgi in Ikonboard 2.1.7b and earlier allows a remote attacker to read arbitrary files via a .. (dot dot) attack in the helpon parameter.


[CNNVD]Ikonboard远程文件泄露漏洞(CNNVD-200106-201)

        Ikonboard 2.1.7b及其早期版本的help.cgi存在目录遍历漏洞。远程攻击者借助helpon参数的.. (点 点)攻击读取任意文件。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0360
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0360
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200106-201
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/static/6216.php
(VENDOR_ADVISORY)  XF  ikonboard-cgi-read-files
http://www.securityfocus.com/bid/2471
(VENDOR_ADVISORY)  BID  2471
http://archives.neohapsis.com/archives/bugtraq/2001-03/0124.html
(VENDOR_ADVISORY)  BUGTRAQ  20010311 Ikonboard v2.1.7b "show files" vulnerability

- 漏洞信息

Ikonboard远程文件泄露漏洞
中危 路径遍历
2001-06-27 00:00:00 2009-04-03 00:00:00
远程  
        Ikonboard 2.1.7b及其早期版本的help.cgi存在目录遍历漏洞。远程攻击者借助helpon参数的.. (点 点)攻击读取任意文件。

- 公告与补丁

        From "Martin J. Muench" :
        You could fix the script temporary by inserting the following line under line 45 in 'help.cgi':
        $inhelpon =~ s/\///g;
        From decker@n3t.net:
        My fix for this was to simply insert as line 45:
        if($inhelpon =~ /\.\./) { &hackdetected; }
        then at the bottome append:
        sub hackdetected {
        print "Content-type: text/plain\n\n";
        print "sorry, this hole was patched :)\n";
        print "you have been logged.\n";
        exit;
        }

- 漏洞信息 (20683)

Ikonboard 2.1.7 b Remote File Disclosure Vulnerability (EDBID:20683)
cgi remote
2001-03-11 Verified
0 Martin J. Muench
N/A [点击下载]
source: http://www.securityfocus.com/bid/2471/info

Ikonboard is a perl-based discussion forum script from ikonboard.com.

Versions of Ikonboard are vulnerable to remote disclosure of arbitrary files.

By adding a null byte to the name of a requested file, the attacker can defeat the script's inbuilt feature of appending the suffix '.dat' to requested filenames, a precaution intended to limit the range of files readable using this script.

Exploited in conjunction with '../' sequences inserted into the path of the requested file, this vulnerability allows a remote attacker to submit requests for arbitrary files which are readable by the webserver user.

This could include sensitive system information, including account information and passwords for Ikonboard users and administrators. 

Example:

http://www.example.com/cgi-bin/ikonboard/help.cgi?helpon=../../../../../etc/passwd%00

will disclose /etc/passwd, if readable by the webserver.

http://www.example.com/cgi-bin/ikonboard/help.cgi?helpon=../members/[member].cgi%00

discloses the ikonboard account password for [member], including admin acounts. 		

- 漏洞信息

7707
Ikonboard help.cgi helpon Parameter Traversal Arbitrary File Access
Remote / Network Access Information Disclosure
Loss of Confidentiality
Exploit Public

- 漏洞描述

Ikonboard contains a flaw that allows a remote attacker to acess arbitrary files outside of the web path. The issue is due to the 'help.cgi' script not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the 'helpon' parameter.

- 时间线

2001-03-11 Unknow
2001-03-11 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

Ikonboard Remote File Disclosure Vulnerability
Input Validation Error 2471
Yes No
2001-03-11 12:00:00 2009-07-11 04:46:00
Reported to bugtraq by "Martin J. Muench" <muench@gmc-online.de> on March 11, 2001.

- 受影响的程序版本

Ikonboard.com ikonboard 2.1.7 b
- BSDI BSD/OS 4.0.1
- Conectiva Linux 6.0
- Debian Linux 2.2
- Digital (Compaq) TRU64/DIGITAL UNIX 5.0
- FreeBSD FreeBSD 4.2
- HP HP-UX 11.11
- IBM AIX 4.3.3
- Mandriva Linux Mandrake 7.2
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0
- NetBSD NetBSD 1.4.3
- OpenBSD OpenBSD 2.8
- RedHat Linux 7.0
- S.u.S.E. Linux 7.0
- SCO eServer 2.3
- Sun Solaris 8_sparc

- 漏洞讨论

Ikonboard is a perl-based discussion forum script from ikonboard.com.

Versions of Ikonboard are vulnerable to remote disclosure of arbitrary files.

By adding a null byte to the name of a requested file, the attacker can defeat the script's inbuilt feature of appending the suffix '.dat' to requested filenames, a precaution intended to limit the range of files readable using this script.

Exploited in conjunction with '../' sequences inserted into the path of the requested file, this vulnerability allows a remote attacker to submit requests for arbitrary files which are readable by the webserver user.

This could include sensitive system information, including account information and passwords for Ikonboard users and administrators.

- 漏洞利用

Example:

http://www.example.com/cgi-bin/ikonboard/help.cgi?helpon=../../../../../etc/passwd%00

will disclose /etc/passwd, if readable by the webserver.

http://www.example.com/cgi-bin/ikonboard/help.cgi?helpon=../members/[member].cgi%00

discloses the ikonboard account password for [member], including admin acounts.

- 解决方案

From "Martin J. Muench" <muench@gmc-online.de>:

You could fix the script temporary by inserting the following line under line 45 in 'help.cgi':

$inhelpon =~ s/\///g;

From decker@n3t.net:

My fix for this was to simply insert as line 45:

if($inhelpon =~ /\.\./) { &hackdetected; }

then at the bottome append:

sub hackdetected {
print "Content-type: text/plain\n\n";
print "sorry, this hole was patched :)\n";
print "you have been logged.\n";
exit;
}

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站