EkinBoard Remote File Upload / Auth Bypass

vendor:

EkinBoard

by:

Eugene Minaev

7.5

CVSS

HIGH

Authentication Bypass

287

CWE

Product Name: EkinBoard

Affected Version From: 1.1.2000

Affected Version To: 1.1.2000

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

EkinBoard Remote File Upload / Auth Bypass

EkinBoard version 1.1.0 and below are vulnerable to an authentication bypass vulnerability. This vulnerability allows an attacker to bypass the authentication check by setting the _groups[] parameter to 2. This can be done by appending the parameter to the URL, for example: test1.ru/skvoznoy/backup.php?_groups[]=2. Additionally, the upload function can be used to upload any file bypassing the filters. The attacker can name the shell file.php.gif and select it as their avatar. The uploaded file can then be found in the uploaded/avatars/filename_your_id.php directory.

Mitigation:

Disable register_globals and ensure that authentication checks are properly implemented.

Source

Exploit-DB raw data:

----[ EkinBoard Remote File Upload / Auth Bypass ... ITDefence.ru Antichat.ru ]

							EkinBoard >= 1.1.0 Remote File Upload / Auth Bypass
							Eugene Minaev underwater@itdefence.ru 
				___________________________________________________________________
			____/  __ __ _______________________ _______  _______________    \  \   \
			/ .\  /  /_// //              /        \       \/      __       \   /__/   /
			/ /     /_//              /\        /       /      /         /     /___/
			\/        /              / /       /       /\     /         /         /
			/        /               \/       /       / /    /         /__       //\
			\       /    ____________/       /        \/    __________// /__    // /   
			/\\      \_______/        \________________/____/  2007    /_//_/   // //\
			\ \\                                                               // // /
			.\ \\        -[     ITDEFENCE.ru Security advisory     ]-         // // / . 
			. \_\\________[________________________________________]_________//_//_/ . .
			
		We can bypass admin authorization if register_globals on . All admin panel script include this code
		
		<?php
		if(!in_array(2, $_groups)){
		die("<center><span class=red>You need to be an admin to access this page!</span></center>");
		} 
		?>
		
		test1.ru/skvoznoy/backup.php?_groups[]=2
		
		There is a bug in upload function . We can upload any file bypass filters . Name your shell like 
		file.php.gif and select it as your avatar . Then check uploaded/avatars/filename_your_id.php

----[ FROM RUSSIA WITH LOVE :: underWHAT?! , gemaglabin ]

# milw0rm.com [2008-01-07]