source: http://www.securityfocus.com/bid/2471/info Ikonboard is a perl-based discussion forum script from ikonboard.com. Versions of Ikonboard are vulnerable to remote disclosure of arbitrary files. By adding a null byte to the name of a requested file, the attacker can defeat the script's inbuilt feature of appending the suffix '.dat' to requested filenames, a precaution intended to limit the range of files readable using this script. Exploited in conjunction with '../' sequences inserted into the path of the requested file, this vulnerability allows a remote attacker to submit requests for arbitrary files which are readable by the webserver user. This could include sensitive system information, including account information and passwords for Ikonboard users and administrators. Example: http://www.example.com/cgi-bin/ikonboard/help.cgi?helpon=../../../../../etc/passwd%00 will disclose /etc/passwd, if readable by the webserver. http://www.example.com/cgi-bin/ikonboard/help.cgi?helpon=../members/[member].cgi%00 discloses the ikonboard account password for [member], including admin acounts.
Related ExploitsTrying to match CVEs (1): CVE-2001-0360
Trying to match OSVDBs (1): 7707
Other Possible E-DB Search Terms: IkonBoard 2.1.7b, IkonBoard
|2002-02-26||IkonBoard 2.17/3.0/3.1 - Image Tag Cross-Agent Scripting||godminus|
|2003-04-15||IkonBoard 3.1 - Lang Cookie Arbitrary Command Execution (1)||Nick Cleaton|
|2003-05-05||IkonBoard 3.1 - Lang Cookie Arbitrary Command Execution (2)||snooq|
|2004-12-16||IkonBoard 3.x - Multiple SQL Injections||anonymous|