|
Vulnerability UltraBoard Affected UltraBoard V1.6X Description Rudi Carell found following. He found some interesting things in the "old" UltraBoard-Forum scripts (UltraBoard V 1.6). By using the good old NullByte(\000) its possible to open "any" file on the webserver(with its permissions) running the "UltraBoard" forum-software. cgi-script: UltraBoard.pl || UltraBoard.cgi Variables: Action=PrintableTopic Post=[path_including_".."_to_any_file][***NULLBYTE***] Board=[valid_board] Idle=10 Sort=0 Order=Descend Page=0 Session= hmm ... EOF Juan M. Bello Rivas added following. There's even more fun availiable with old versions of ultraboard (and latest beta of ultraboard 2000 is also vulnerable to this?). You can bring the web server to its knees by issuing a request to the CGI like this: QUERY_STRING=Session=../UltraBoard.pl%00%7c It will start forking instances of the CGI until it eats all the resources of the machine. Solution Newer version fixes this?