Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Forum/Board/Portal)  >   Ultimate PHP Board Vendors:   Hoeppner, Tim
Ultimate PHP Board Access Control Flaw Gives Remote Authenticated Users Administrative Access
SecurityTracker Alert ID:  1005198
SecurityTracker URL:
CVE Reference:   CVE-2002-1821   (Links to External Site)
Updated:  Jun 3 2008
Original Entry Date:  Sep 9 2002
Impact:   Modification of user information, User access via network
Exploit Included:  Yes  

Description:   An access control hole was reported in several components of the Ultimate PHP Board forum software. A remote authenticated user can gain administrative access on the board.

It is reported that several scripts fail to check the user's privileges and only validate that the remote user is logged in. A remote authenticated user can load the admin_members.php script and obtain 'Admin' permissions.

According to the report, the admin_config.php script allows the remote authenticated user to modify the Title bar name and color. The admin_cat.php script allows the remote authenticated user to modify the Forum Category. The admin_forum.php script allows the remote authenticated user to delete forums.

This flaw was reported by hipik [at]

Impact:   A remote authenticated user can gain 'admin' privileges on the board.
Solution:   No vendor solution was available at the time of this entry.

The author of the report has provided a recommended code change [see the Source Message for the code].

Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  UPB Bug

This is a multi-part message in MIME format.
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii;
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;

product: Ultimate PHP Board (UPB) 
version: Public Beta 1.0b !!FIXED 
summary:  upb allow to any user have access levels 3 (to have admin premissions)
exploit: yes
Fix: yes
Exploited by Hipik__ memmbers of Bosnians Security Portal
I have been registred user 'Hipik__' and I have memmbes permissions.  
After that I Log on UPB Forum and I run the following URL:
and I can put myself Admin permissions. 
And that is it. I can cange evrythin on page.
Also if you don't have admin permissions you can go on followinf URL: 
and you can manipulet UPB forum Title bar Name color or you can go on following URL:
and you can manipulete Forum Category or if you wan delete forums whitout Admin 
permissions go on following URL:
Register on UPB Forum and Log on then go on one of the following URL:
Vulnerable code:
in files admin_members.php, admin_config.php, admin_cat.php, admin_forum.php 
and other admin_ files contains this line code:

if(is_logged_in($user_env, $pass_env, $power_env, $id_env)) {

This line of code don't check does user have Admin premissions. Just check does is he Log on.
This line of code in files admin_members.php, admin_config.php, admin_cat.php, admin_forum.php 
and other admin_ files:

if(is_logged_in($user_env, $pass_env, $power_env, $id_env)) {

Change with this line of code:

if(is_logged_in($user_env, $pass_env, $power_env, $id_env) && $power_env == 3) {

NickName: Hipik__
IRC Server: Channel:#hackeri
The beast Security group in Bosnia
Sory for my pour English :(



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC