`admin' bug in upb

From: GooDWiN (badwin@rambler.ru)
Date: 08/25/02 

From: GooDWiN <badwin@rambler.ru>
To: bugtraq@securityfocus.com
Date: Sun, 25 Aug 2002 18:20:13 +0400 (MSD)

product: Ultimate PHP Board (UPB)
version: Public Beta 1.0b !!FIXED
vendor: http://www.webrc.ca/php/upb.php
status: notified

------------------------------------------------
summary: upb allow to have two `admin' accounts,
but witn different access levels. its may
aply with spoofing attacks.
------------------------------------------------
 i have been register `admin' account within install procedure. it is have
`Admin' permissions. later i was register `admin' again with normal way (via
register.php) and upb dont output some error. but THIZ `admin' have a `member'
permissions.

solution (from ewgenij_s@gmx.de)
---------

in register.php change

      $c = count($d)-2;

      with

      $c = count($d)-1;

regardz,
GooDWiN /tF0KP
----------------------------
www.security-ru.net

___________________________
origin: i'm not a lame,
         not yet a hacker )) 

----
  http://www.rambler.ru

Relevant Pages

  • Re: Now no access to two folders
    ... access to two of the user accounts on the laptop. ... My (admin) My Documents ... I've shared the My Documents folder in these two ... You can try playing with permissions, ...
    (microsoft.public.windowsxp.network_web)
  • Re: Creating a Restore Disk Image
    ... Do you have other user accounts on your machine in the "admin" group? ... But the log's permissions have nothing to do with what user accounts ...
    (comp.sys.mac.system)
  • permission denied on overwriting files (2003)
    ... For each site I opened an FTP account and an admin ... you can reach to each web site via FTP with their ... FTP accounts, and you can access to their password protected folders ... Even though I gave all the permissions, ...
    (microsoft.public.windows.server.security)
  • Re: Office 2003 error in limited accounts...stdole32.tlb
    ... not run correctly under the limited accounts. ... decided to install all the updates through Microsoft update...did so, ... temporarily changing the accounts to Admin before installing. ... I'm pretty sure it's a permissions problem, ...
    (microsoft.public.windowsxp.basics)
  • UPB: Discussion Board/Web-Site Takeover
    ... topic: UPB: Discussion Board/Web-Site Takeover ... that allow to attacker execute random php ... HTTP_USER_AGENT] in text file under `db' directory named `iplog'. ... then in admin panel board admin can to call admin_iplog.php, ...
    (Bugtraq)