Hacksware Bug Report

1. Name: 
 JSBoard ÀÎÁõ °Ç³Ê ¶Ù¾î ÆÄÀÏ »ý¼º ¹®Á¦
2. Release Date: 2001.3.2
3. Affected Application: 
 JSBoard 1.2.2 (´Ù¸¥ ¹öÀüÀº üũÇÏÁö ¾Ê¾Ò½À´Ï´Ù).
4. Author: mat@hacksware.com
5. Type: remote,php
6. Explanation
 °Ô½ÃÆÇ °ü¸®ÀÚ ½ºÅ©¸³Æ®¿¡¼­ Å×À̺íÀÌ Á¸ÀçÇÏÁö ¾ÊÀ» °æ¿ì admin[passwd] °ªÀ» »ç¿ëÀÚ°¡ ¼¼Æð¡´ÉÇÏ°í config.ph,html_head.ph,html_tail.ph ÆÄÀÏÀ» À¥¼­¹ö ±ÇÇÑÀ¸·Î »ý¼ºÇÒ ¼ö ÀÖ´Ù. ¶ÇÇÑ list.php¿¡¼­ ƯÁ¤ÇÑ ÆĶó¸ÞÅ͸¦ ³Ñ°Ü¼­ À¥¼­¹ö¿¡¼­ ¿øÇÏ´Â ¸í·ÉÀ» ½ÇÇàÇϵµ·Ï ÇÒ ¼ö ÀÖ´Ù.
7. Exploits

 BROWSER·Î lynx¸¦ ½è´Âµ¥ ±×·¡ÇÈ ºê¶ó¿ìÀú·Î ÇØ´ç urlÀ» ¹Ù·Î Á¢±ÙÇϼŵµ µË´Ï´Ù.
 dbvmoaTb1moccÀº helloÀÇ crypt ÇüÅÂÀÔ´Ï´Ù.
 php ½©Àº piranha´ÔÀÇ Äڵ带 ºô·Á ¿Ô½À´Ï´Ù.
 jsboardÀÌÀü ¹öÀüÀÎ °æ¿ì act.php¿Í list.phpÀÇ È®ÀåÀÚ¸¦ °¢°¢ php3·Î ¹Ù²Ù¾î ÁØ´Ù.

------------------------------hook_js.sh--------------------------------------
 exploitÀº 3¿ù 5ÀÏ °ø°³ÇÕ´Ï´Ù.

8. Àӽà ¹æÆí 
 jsboard µð·ºÅ丮 ¹ØÀÇ 
 admin/user_admin/act.php
 admin/user_admin/auth.php
 admin/user_admin/uadmin.php
 ¿¡¼­
 
if (file_exists("../../data/$table/config.ph"))
  include("../../data/$table/config.ph");

¸¦ ´ÙÀ½°ú °°ÀÌ ¹Ù²Ù¾î ÁØ´Ù.

if (!file_exists("../../data/$table/config.ph"))
  err_msg("go off you cracker");
  include("../../data/$table/config.ph");