Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

   


   


   

















      :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: [SA20353] UBB.threads Cross-Site Scripting and File Inclusion



> 
> 
> TITLE:
> UBB.threads Cross-Site Scripting and File Inclusion
> 
> SECUNIA ADVISORY ID:
> SA20353
> 
> VERIFY ADVISORY:
> http://secunia.com/advisories/20353/
> 
> CRITICAL:
> Highly critical
> 
> IMPACT:
> Cross Site Scripting, System access
> 
> WHERE:
> From remote
> 
> SOFTWARE:
> UBB.threads 6.x
> http://secunia.com/product/4379/
> UBB.threads 5.x
> http://secunia.com/product/10214/
> 
> DESCRIPTION:
> Mustafa Can Bjorn has discovered some vulnerabilities in UBB.threads,
> which can be exploited by malicious people to conduct cross-site
> scripting attacks and compromise a vulnerable system.
> 
> 1) Input passed to the "myprefs[language]" parameter in
> includepollresults.php isn't properly verified, before it is used to
> include files. This can be exploited to include arbitrary files from
> local resources.
> 
> Successful exploitation requires that "register_globals" is enabled
> and "magic_quotes_gpc" is disabled.
> 
> 2) Input passed to the "thispath" parameter in ubbt.inc.php isn't
> properly verified, before it is used to include files. This can be
> exploited to include arbitrary files from external and local
> resources.
> 
> Example:
> http://[host]/ubbt.inc.php?GLOBALS[thispath]=[file]
> 
> Successful exploitation requires that "register_globals" is enabled,
> and that PHP 5.x or PHP versions prior to 4.1.0 is used.
> 
> 3) Input passed to the "debug" parameter in ubbthreads.php and other
> scripts is not properly sanitised before being returned to the user.
> This can be exploited to execute arbitrary HTML and script code in a
> user's browser session on context of an affected site.
> 
> The vulnerabilities have been confirmed in version 6.5.1.1 (trial)
> and also reported in version 5.x. Other versions may also be
> affected.
> 
> SOLUTION:
> Edit the source code to ensure that input is properly sanitised.
> 
> Set "register_globals" to "Off".
> 
> PROVIDED AND/OR DISCOVERED BY:
> Mustafa Can Bjorn
> 
> ORIGINAL ADVISORY:
> http://www.nukedx.com/?viewdoc=40
> 
> 



 




Copyright © Lexa Software, 1996-2009.