Hi,
I found a vulnerability in e_Board ver. 4.0 which allows remote
users to open any file on the system. I think all prior vers have
the same problem.

e_Board is a wwwboard-like CGI script. It's written by Mike Bagneski
in Perl (and for sale! $14.95).
http://www.e-scripts.com/eboard/
It doesn't check whether posted data contains null byte or slash,
so we can use rfp's Poison NULL byte and dir traversal technique... =)

an example:
http://www.e-scripts.com/cgi-bin/eboard40/index2.cgi?frames=yes&board=demo&mode=Current&threads=Collapse&message=../../../../../../../../../../../etc/passwd%00

quick fix:
die "invalid message number" if ($message !~ m/^\d+$/);
# insert this before:
# open(MESSAGE, "$board_path/$messages_dir/$message.txt") || &return_page('File Error', "Can't read $board_path/$messages_dir/$message.txt");


Thanks,

----
White_E
http://nogimmick.org/