Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11785
HistoryMar 12, 2006 - 12:00 a.m.

[Full-disclosure] [INetCop Security Advisory] zeroboard IP session bypass XSS vulnerability

2006-03-1200:00:00
vulners.com
36
JSON
    ========================================
    INetCop Security Advisory #2006-0x82-029
    ========================================
  • Title: zeroboard IP session bypass XSS vulnerability

0x01. Description

Zeroboard is a popular web notice board used in Korea.

INetCop Security found XSS vulnerability in the latest zeroboard version 4.1 pl 7 (2005. 4. 4).
Basically, zeroboard uses the following algorithm so that session may not be abused
by the attack related with cookie. (e.g: cookie spoofing, sniffing)

After login, is part that handle session: –

bbs/login_check.php:

24 // Иёїш·О±ЧАОАМ јє°шЗПїґА» °жїм јјјЗА» »эјєЗП°н ЖдАМБцё¦ АМµїЗФ
25 if($member_data[no]) {
26
27 if($auto_login) {
28 makeZBSessionID($member_data[no]);
29 }
30
31 // 4.0x їл јјјЗ Гіё®
32 $zb_logged_no = $member_data[no];
33 $zb_logged_time = time();
34 $zb_logged_ip = $REMOTE_ADDR; <— Recording IP address
35 $zb_last_connect_check = '0';
36
37 session_register("zb_logged_no");
38 session_register("zb_logged_time");
39 session_register("zb_logged_ip");
40 session_register("zb_last_connect_check");
41

If IP address is different from present session user's, connection terminates: –

bbs/lib.php:

94                  // јјјЗ °ЄА» ГјЕ©ЗПї© ·О±ЧАОА» Гіё®
95                  } elseif&#40;$HTTP_SESSION_VARS[&quot;zb_logged_no&quot;]&#41; {
96
97                          // ·О±ЧАО ЅГ°ЈАМ БцБ¤µИ ЅГ°ЈА» іСѕъ°ЕіЄ ·О±ЧАО

ѕЖАМЗЗ°Ў ЗцАз »зїлАЪАЗ ѕЖАМЗЗїН ґЩё¦ °жїм ·О±ЧѕЖїф ЅГЕґ
98 if(time()-$HTTP_SESSION_VARS["zb_logged_time"]>
$_zbDefaultSetup["login_time"]||$HTTP_SESSION_VARS["zb_logged_ip"]!=$REMOTE_ADDR)
{
99
100 $zb_logged_no=""; // session initialization
101 $zb_logged_time="";
102 $zb_logged_ip="";
103 session_register("zb_logged_no");
104 session_register("zb_logged_ip");
105 session_register("zb_logged_time");
106 session_destroy();
107
108 // АЇИїЗТ °жїм ·О±ЧАО ЅГ°ЈА» ґЩЅГ јіБ¤
109 } else {

This seems to be intercepting cookie hacking.
But, if we take advantage of IP session disablement technique, session bypassing may be possible.
Detailed explanation about the way to exploit this vulnerability is found at the following

reference.

URL: http://x82.inetcop.org/h0me/papers/iframe_tag_exploit.txt (Korean)

As a result, hacker through administrator's web browser exploit code workably become.

0x02. Vulnerable Packages

Vendor site: http://www.nzeo.com/

Low versions including Zeroboard 4.1 pl 7 (2005. 4. 4) version.
-zb41pl7.tar.Z

Disclosure Timeline:
2003-04.??: Vulnerabilities found.
2006-02.17: 1st vendor contact. (didn't respond)
2006-02.22: 2nd vendor contact. (didn't respond)
2006-02.25: Vendor responded, patch released.
2006-03.12: Public disclosure.

0x03. Exploit

We have 2 `Proof-of-Concept' exploit about this vulnerability.

This XSS vulnerability happens in memo box title and user email, homepage information input.
When administrator logins and checks a user information page, attack code can be achieved,
and there is another way, which injects an attack code in memo title.
After exploit, an attacker can inject PHP code through an administrator web page function.
Through this PHP code injection, the attacker(normal user) can change the password of

administrator,
and take administrator's privilege

To prevent the abuse of this vulnerabilty, INetCop Security will not publish POC code.

0x04. Patch

INetCop Security released temporary patch:
INetCop Security Patch URL: http://inetcop.net/upfiles/Zeroboard-4.1_pl7_patch.tgz

And vendor's patch after INetCop Security advisory:
Vendor Patch URL: http://www.nzeo.com/bbs/zboard.php?id=cgi_bugreport2&amp;no=5406


Thank you.

P.S: I give thanks to Securityproof that suffer translation.
Korean Advisory URL: http://www.inetcop.org/upfiles/33INCSA.2006-0x82-029-zeroboard.pdf


By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security.

MSN & E-mail: szoahc(at)hotmail(dot)com,
xploit(at)hackermail(dot)com

INetCop Security Home: http://www.inetcop.org
My World: http://x82.inetcop.org

GPG public key: http://x82.inetcop.org/h0me/pr0file/x82.k3y

Get your free email from http://www.hackermail.com

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

JSON