SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Ultimate PHP Board Vendors:   Hoeppner, Tim
Ultimate PHP Board Access Control Flaw Gives Remote Authenticated Users Administrative Access
SecurityTracker Alert ID:  1005198
SecurityTracker URL:  http://securitytracker.com/id/1005198
CVE Reference:   CVE-2002-1821   (Links to External Site)
Updated:  Jun 3 2008
Original Entry Date:  Sep 9 2002
Impact:   Modification of user information, User access via network
Exploit Included:  Yes  

Description:   An access control hole was reported in several components of the Ultimate PHP Board forum software. A remote authenticated user can gain administrative access on the board.

It is reported that several scripts fail to check the user's privileges and only validate that the remote user is logged in. A remote authenticated user can load the admin_members.php script and obtain 'Admin' permissions.

According to the report, the admin_config.php script allows the remote authenticated user to modify the Title bar name and color. The admin_cat.php script allows the remote authenticated user to modify the Forum Category. The admin_forum.php script allows the remote authenticated user to delete forums.

This flaw was reported by hipik [at] mail.ru.

Impact:   A remote authenticated user can gain 'admin' privileges on the board.
Solution:   No vendor solution was available at the time of this entry.

The author of the report has provided a recommended code change [see the Source Message for the code].

Vendor URL:  www.webrc.ca/php/upb.php (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  UPB Bug


This is a multi-part message in MIME format.
--------------3708C2F36AFE93FE719A3E9D
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

http://packetstorm.decepticons.org/0209-exploits/upb.admin.txt
--------------3708C2F36AFE93FE719A3E9D
Content-Type: text/plain; charset=us-ascii;
 name="upb.admin.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="upb.admin.txt"


product: Ultimate PHP Board (UPB) 
version: Public Beta 1.0b !!FIXED 
vendor: http://www.webrc.ca/php/upb.php
summary:  upb allow to any user have access levels 3 (to have admin premissions)
exploit: yes
Fix: yes
Exploited by Hipik__ memmbers of www.hackeri.org Bosnians Security Portal
email:hipik@mail.ru
__________________
I have been registred user 'Hipik__' and I have memmbes permissions.  
After that I Log on UPB Forum and I run the following URL:
http://www.example.com/admin_members.php
and I can put myself Admin permissions. 
And that is it. I can cange evrythin on page.
Also if you don't have admin permissions you can go on followinf URL:
http://www.example.com/admin_config.php 
and you can manipulet UPB forum Title bar Name color or you can go on following URL:
http://www.example.com/admin_cat.php
and you can manipulete Forum Category or if you wan delete forums whitout Admin 
permissions go on following URL:
http://www.example.com/admin_forum.php
_________________________
Exploit:
Register on UPB Forum and Log on then go on one of the following URL:
http://www.example.com/admin_members.php
http://www.example.com/admin_config.php 
http://www.example.com/admin_cat.php
http://www.example.com/admin_forum.php
_________________________
Vulnerable code:
in files admin_members.php, admin_config.php, admin_cat.php, admin_forum.php 
and other admin_ files contains this line code:

if(is_logged_in($user_env, $pass_env, $power_env, $id_env)) {

This line of code don't check does user have Admin premissions. Just check does is he Log on.
_________________________
Solution:
This line of code in files admin_members.php, admin_config.php, admin_cat.php, admin_forum.php 
and other admin_ files:

if(is_logged_in($user_env, $pass_env, $power_env, $id_env)) {

Change with this line of code:

if(is_logged_in($user_env, $pass_env, $power_env, $id_env) && $power_env == 3) {

________________________
NickName: Hipik__
E-mail: hipik@mail.ru
URL: http://www.hackeri.org
IRC Server: irc.dal.net Channel:#hackeri
The beast Security group in Bosnia
--------------------------------------------------------------
Sory for my pour English :(

--------------3708C2F36AFE93FE719A3E9D--



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC