A flaw in the Ultimate PHP Board (UPB) software allows standard users to create an admin accounts with lower case letters that has standard user privileges but that may cause confusion to other users. Fix included.
cc32e63f249c90e0c02670919dd271f2bc8690b8e1f6890f2355f243376c356d
product: Ultimate PHP Board (UPB)
version: Public Beta 1.0b !!FIXED
vendor: http://www.webrc.ca/php/upb.php
status: notified
------------------------------------------------
summary: upb allow to have two `admin' accounts,
but witn different access levels. its may
aply with spoofing attacks.
------------------------------------------------
i have been register `admin' account within install procedure. it is have
`Admin' permissions. later i was register `admin' again with normal way (via
register.php) and upb dont output some error. but THIZ `admin' have a `member'
permissions.
solution (from ewgenij_s@gmx.de)
---------
in register.php change
$c = count($d)-2;
with
$c = count($d)-1;
regardz,
GooDWiN /tF0KP
----------------------------
www.security-ru.net
___________________________
origin: i'm not a lame,
not yet a hacker ))
----
http://www.rambler.ru