[20037] in bugtraq
Ultimate Bulletin Board Version 5.47e
daemon@ATHENA.MIT.EDU (ultimator303@HOTMAIL.COM)
Thu Apr 5 20:33:11 2001
Message-ID: <20010405040701.1153.qmail@securityfocus.com>
Date: Thu, 5 Apr 2001 04:07:01 -0000
Reply-To: ultimator303@HOTMAIL.COM
From: ultimator303@HOTMAIL.COM
To: BUGTRAQ@SECURITYFOCUS.COM
About:
"Ultimate Bulletin Board Version 5.47e"
by "www.infopop.com"
on Cross-Platform (tested on UNIX)
Subject:
Another possibility to read in private forums
Status:
Vendors took aknoledgement;
No reply of any solution yet;
Details:
As still known, there've been some security problem
in UBB up to version 5.74a that makes it possible
to read in private forums (password protected), just
giving the 'postings.cgi' the querystring
'action=reply&forum=doesnotmatter&number=1&topi
c=000001.cgi&TopicSubject=doesnotmatter&replyto=
0',
altering 'number' to the number of a private forum
and 'topic' and 'replyto' just to the number you want to
read.
So for example this URL could let you read the first
message of the first thread in a private forum,
wich's number is 1:
http://boardhost.org/boarddir/postings.cgi?
action=reply&forum=&number=1&topic=000001.cgi&
TopicSubject=&replyto=0
I guess this bug should be fixed at least with version
5.47e.
But there was forgotten one little detail: If there are
several private forums e.g. one for the moderators
and
one only for administrators,
people with a moderators rights could still exploit this
bug to read in administrators forum, thought they don't
have permission to read there, just by loggin in and
get coockied by that.
Solution:
As I guess this should be fixed by editing the line
' if (($Status eq "Administrator") || ($Status
eq "Moderator")) {' in the subroutine
'sub verifyID' in the 'postings.cgi' and change it into
' if ($Status eq "Administrator") {' at least with the
board I was testing it, this worked.
But maybe you should wait for any offical solutions of
the vendors.
Credits:
from and to: cRackY
From:
ultimator303
