logo
DATABASE RESOURCES PRICING ABOUT US

En: ubb hole

Description

----- Original Message ----- From: tdf To: tgava@telespcelular.com.br Sent: Monday, November 20, 2000 2:46 PM Subject: ubb hole ----------------------------------------------------------------------------------- Ultimate Bulletin Board - Private forums security hole, by tdf (tdf@linuxbr.com.br) ----------------------------------------------------------------------------------- Well, i can see any open topic inside a private forum (password protected) WITHOUT have the password. How? It's simple! Using the quote feature of the Ultimate Bulletin Board! Look this example: http://www.scriptkeeper.com/cgi-bin/postings.cgi?action=reply&forum=tdf&number=21&topic=000004.cgi&TopicSubject=tdf&replyto=0 Hmm, it's a Infopop's help forum, using the last version of UBB (5.73) This session of the forum is reserved for moderators only, and protected with a password. Put this url in your web browser and see it with your own eyes! I can see all open threads in this session of the forum just changing the number of the xxxxx.cgi, and all its replies changing replyto=XX You noted that I can quote a msg without give the password... The problem is there :) c-ya!