Bugtraq mailing list archives
Re: Fun with UltraBoard V1.6X
From: jmbello () ITCHY COVERLINK ES (Juan M. Bello Rivas)
Date: Fri, 5 May 2000 23:10:56 +0200
Hola, On Wed, May 03, 2000 at 02:13:16AM -0700, rudi carell wrote:
found some interesting things in the "old" UltraBoard-Forum scripts (UltraBoard V 1.6) class:Input Validation Error remote:Yes vulnerable:UltraBoard V1.* vendor: www.ultrascripts.com || www.ub2k.com Description: By using the good old NullByte(\000) its possible to open "any" file on the webserver(with its permissions) running the "UltraBoard" forum-software. cgi-script: UltraBoard.pl || UltraBoard.cgi Variables: Action=PrintableTopic Post=[path_including_".."_to_any_file][***NULLBYTE***] Board=[valid_board] Idle=10 Sort=0 Order=Descend Page=0 Session=
There's even more fun availiable with old versions of ultraboard (and I think the latest beta of ultraboard 2000 is also vulnerable to this). You can bring the web server to its knees by issuing a request to the CGI like this: QUERY_STRING=Session=../UltraBoard.pl%00%7c It will start forking instances of the CGI until it eats all the resources of the machine. Later. Juan M. Bello Rivas -- "Let's suppose you just finished writing `zardoz', a program to make your head float from vortex to vortex." From GNU automake documentation.
Current thread:
- Re: glibc resolver weakness, (continued)
- Re: glibc resolver weakness Bennett Todd (May 03)
- Re: glibc resolver weakness Valdis.Kletnieks () VT EDU (May 03)
- Re: glibc resolver weakness Andrew Brown (May 03)
- Cayman 3220-H DSL Router DOS cassius () HUSHMAIL COM (May 05)
- Fun with UltraBoard V1.6X rudi carell (May 03)
- Fwd: tcpdump workaround against dnsloop exploit. THE INFAMOUS (May 03)
- Re: tcpdump workaround against dnsloop exploit. David Schwartz (May 06)
- NetBSD Security Advisory 2000-002 Daniel Carosone (May 06)
- [NHC20000504a.0: NetBSD Panics when sent unaligned IP options] NHC Research (May 06)
- Re: Fwd: tcpdump workaround against dnsloop exploit. Sebastian (May 07)
- Re: Fun with UltraBoard V1.6X Juan M. Bello Rivas (May 05)
- Fwd: tcpdump workaround against dnsloop exploit. THE INFAMOUS (May 03)