Ultimate PHP Board Discloses Path to Remote Users and Allows Cross-Site Scripting Attacks
SecurityTracker Alert ID: 1005775|
SecurityTracker URL: http://securitytracker.com/id/1005775
(Links to External Site)
Updated: Jun 29 2004|
Original Entry Date: Dec 9 2002
Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network|
Exploit Included: Yes |
Version(s): 1.0 final beta|
An input validation vulnerability was reported in Ultimate PHP Board (UPB). A remote user can determine the installation path of the UPB software. A remote user can conduct cross-site scripting attacks against UPB users.|
It is reported that a remote user can create a specially crafted URL for the 'add.php' script to trigger an error message that will disclose the installation path.
If the add.php script is not available, a remote user can call the 'viewtopic.php' script with an invalid 'id' parameter to trigger the same type of error message. A demonstration exploit URL is provided:
Because the 'viewtopic.php' script error message will display user-supplied data without filtering, a remote user can exploit this to conduct cross-site scripting attacks against UPB users.
A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running UPB and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
A demonstration exploit URL is provided:
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running Ultimate PHP Board, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.|
A remote user can also determine the installation path of the software.
No solution was available at the time of this entry.|
Vendor URL: www.webrc.ca/php/upb.php (Links to External Site)
Exception handling error, Input validation error|
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
Source Message Contents
Subject: XSS and Path Disclosure in UPB|
topic: XSS and Path Disclosure in UPB
product: Ultimate PHP Board (UPB) final beta 1.0
discovered by: euronymous /F0KP /HACKRU Team
advisory url: http://f0kp.iplus.ru/bz/009.txt
1) when calling add.php, which comming with upb, it output some
error message, that contain foloving information:
Warning: Failed opening 'textdb_v2.inc.php' for inclusion
/home/samcom/public_html/public/messageboard2/add.php on line 5
attempting to edit record...
Fatal error: Call to undefined function: format_field() in
/home/samcom/public_html/public/messageboard2/add.php on line 11
as you can see, script output contain full physical path of the
2). but if user has deleted this file (add.php) u can to view
the full path in this way:
cos the `id' parameter doesnt check if input data has entered
correctly, then it output folloving error message:
===================--======= snip =============================
Warning: Unable to access ./data_dir/some_shit.dat in
Warning: Supplied argument is not a valid File-Handle resource
on line 241
=========================== snip ==============================
where `data_dir' is the name of directory, where stored important
files, eg users.dat with users passwords (md5). in default name
of this directory is `db'.
if user doesnt make this dir secure, then you can to get the users
passwds with reading file users.dat (default name.. but it is an
old stuff) and cracking the .md5 hashes.
3) cos the above, file viewtopic.php doesnt check at all, the you
can insert some html in scripts output:
[it must be in a single string]
not URL-encoded string working fine also.
ps. all of this issues applied to previus versions upb.
shouts: HACKRU Team, DWC, DHG, Spoofed Packet, all
russian security guyz!! and kate for she is kewl girl ))
fuck_off: slavomira and other dirty ppl in *.kz
im not a lame,
not yet a hacker