SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Ultimate PHP Board Vendors:   Hoeppner, Tim
Ultimate PHP Board Discloses Path to Remote Users and Allows Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1005775
SecurityTracker URL:  http://securitytracker.com/id/1005775
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Jun 29 2004
Original Entry Date:  Dec 9 2002
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 1.0 final beta
Description:   An input validation vulnerability was reported in Ultimate PHP Board (UPB). A remote user can determine the installation path of the UPB software. A remote user can conduct cross-site scripting attacks against UPB users.

It is reported that a remote user can create a specially crafted URL for the 'add.php' script to trigger an error message that will disclose the installation path.

If the add.php script is not available, a remote user can call the 'viewtopic.php' script with an invalid 'id' parameter to trigger the same type of error message. A demonstration exploit URL is provided:

http://hostname.com/phorum/viewtopic.php?id=some_stuff&t_id=2

Because the 'viewtopic.php' script error message will display user-supplied data without filtering, a remote user can exploit this to conduct cross-site scripting attacks against UPB users.

A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running UPB and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://hostname.com/phorum/viewtopic.php?id=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&t_id=2

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running Ultimate PHP Board, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can also determine the installation path of the software.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.webrc.ca/php/upb.php (Links to External Site)
Cause:   Exception handling error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  XSS and Path Disclosure in UPB


=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
topic: XSS and Path Disclosure in UPB
product: Ultimate PHP Board (UPB) final beta 1.0 
vendor: http://www.webrc.ca/php/upb.php
risk: middle
date: 12/7/2k2
discovered by: euronymous /F0KP /HACKRU Team
advisory url: http://f0kp.iplus.ru/bz/009.txt 
=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
	      
description
-----------

1) when calling add.php, which comming with upb, it output some
error message, that contain foloving information:

================================================================
Warning: Failed opening 'textdb_v2.inc.php' for inclusion 
(include_path='.:/usr/local/lib/php') in 
/home/samcom/public_html/public/messageboard2/add.php on line 5
attempting to edit record...

Fatal error: Call to undefined function: format_field() in 
/home/samcom/public_html/public/messageboard2/add.php on line 11
================================================================

as you can see, script output contain full physical path of the
board. 

2). but if user has deleted this file (add.php) u can to view 
the full path in this way: 

==============================================================
http://hostname.com/phorum/viewtopic.php?id=some_shit&t_id=2
==============================================================

cos the `id' parameter doesnt check if input data has entered
correctly, then it output folloving error message: 

===================--======= snip =============================
Warning: Unable to access ./data_dir/some_shit.dat in 
/home/samcom/public_html/public/messageboard2/textdb.inc.php on 
line 240

..

Warning: Supplied argument is not a valid File-Handle resource 
in /home/samcom/public_html/public/messageboard2/textdb.inc.php 
on line 241

..
=========================== snip ==============================

where `data_dir' is the name of directory, where stored important
files, eg users.dat with users passwords (md5). in default name 
of this directory is `db'. 

if user doesnt make this dir secure, then you can to get the users
passwds with reading file users.dat (default name.. but it is an 
old stuff) and cracking the .md5 hashes. 
 
3) cos the above, file viewtopic.php doesnt check at all, the you
can insert some html in scripts output:  

========================================================
http://hostname.com/phorum/viewtopic.php?id=
%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&t_id=2
========================================================

[it must be in a single string]

not URL-encoded string working fine also.
ps. all of this issues applied to previus versions upb.

shouts: HACKRU Team, DWC, DHG, Spoofed Packet, all 
russian security guyz!! and kate for she is kewl girl )) 
fuck_off: slavomira and other dirty ppl in *.kz

================
im not a lame,
not yet a hacker
================






 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC