Thread-topic: [SA20353] UBB.threads Cross-Site Scripting and File Inclusion
> UBB.threads Cross-Site Scripting and File Inclusion
> SECUNIA ADVISORY ID:
> VERIFY ADVISORY:
> Highly critical
> Cross Site Scripting, System access
> From remote
> UBB.threads 6.x
> UBB.threads 5.x
> Mustafa Can Bjorn has discovered some vulnerabilities in UBB.threads,
> which can be exploited by malicious people to conduct cross-site
> scripting attacks and compromise a vulnerable system.
> 1) Input passed to the "myprefs[language]" parameter in
> includepollresults.php isn't properly verified, before it is used to
> include files. This can be exploited to include arbitrary files from
> local resources.
> Successful exploitation requires that "register_globals" is enabled
> and "magic_quotes_gpc" is disabled.
> 2) Input passed to the "thispath" parameter in ubbt.inc.php isn't
> properly verified, before it is used to include files. This can be
> exploited to include arbitrary files from external and local
> Successful exploitation requires that "register_globals" is enabled,
> and that PHP 5.x or PHP versions prior to 4.1.0 is used.
> 3) Input passed to the "debug" parameter in ubbthreads.php and other
> scripts is not properly sanitised before being returned to the user.
> This can be exploited to execute arbitrary HTML and script code in a
> user's browser session on context of an affected site.
> The vulnerabilities have been confirmed in version 188.8.131.52 (trial)
> and also reported in version 5.x. Other versions may also be
> Edit the source code to ensure that input is properly sanitised.
> Set "register_globals" to "Off".
> PROVIDED AND/OR DISCOVERED BY:
> Mustafa Can Bjorn
> ORIGINAL ADVISORY: