[ SOURCE: http://www.secureroot.com/security/advisories/9786026036.html ] Summary: -------- Ikonboard is a free forum system. Similair to UBB and UB. Versions up to and including 2.1.7b contain a vulnerability that allows commands to be executed as the script user. Therefore compromising security of the system running the board and allowing an attacker to get passwords of the board users, because they are in no way encrypted/hashed. Details: -------- The problem lies in the following piece of DIRTY perl code, found in register.cgi (and other files): @params = $query->param; foreach $param(@params) { $theparam = $query->param($param); $theparam = &unHTML("$theparam"); ${$param} = $theparam; } This code allows an attacker to override any scalar variable, therefore also the settings made in data/boardinfo.cgi. This would have been only a minor problem if there wouldnt have been a $SEND_MAIL setting. Containing the location of the sendmail binary to send out emails containing passwords for new registrations and other things. An attacker can now execute any program as the script user by putting &SEND_MAIL=/path/program in the URL and making the program send an email for example by signing up as a new user and setting the passwordverification option to yes using this same trick. An exploit for this is vulnerability is trivial and I will not post it here as it would only be used by script-kiddies. Solution: --------- Shortly after i informed the author of this vulnerability a fix was issued and now this vulnerability is fixed. (Version number seems to be un-changed though) to see if you have a fixed version checkout register.cgi and see if it contains the following code instead of the code listed above: for ('inmembername','password','emailaddress', 'showemail','homepage','aolname','icqnumber','location','interests', 'signature','timedifference','useravatar','action') { next unless defined $_; next if $_ eq 'SEND_MAIL'; $tp = $query->param($_); $tp = &unHTML("$tp"); ${$_} = $tp; } Please note that i am not sure if the new version is safe. There appear to be more problems, the complete absence of encryption being just one of them. Conclusion: ----------- Ikonboard is very nicely looking user friendly forum software but it has some security issues. Maybe it would be better to wait for the 2.2 release that should fix alot of these issues. -- Gijs I say don't drink and drive, you might spill your beer.