Re: Ikonboard v2.1.7b "show files" vulnerability

[Darren Mobley <decker () n3t net>]

Version 2.16b is vulnerable to this attack as well.

My fix for this was to simply insert as line 45:

if($inhelpon =~ /\.\./) { &hackdetected; }

then at the bottome append:

sub hackdetected {
print "Content-type: text/plain\n\n";
print "sorry, this hole was patched :)\n";
print "you have been logged.\n";
exit;
}

Ok course you could change this to whatever..

All of the valid helpfiles should be in the same directory as help.cgi,
so this *should* work..

-darren
----------------------------------
E-Mail: decker () n3t net
http://n3t.net
"Finem Respice"
----------------------------------