Ultimate PHP Board (UPB) prior to Public Beta v1.0b allows users to gain admin access. Exploit information included.
c35cf6e4280462e0ca9fbf65fd7ea760784d5113643f85bd3ec2c1e0b0baec4c
product: Ultimate PHP Board (UPB)
version: Public Beta 1.0b !!FIXED
vendor: http://www.webrc.ca/php/upb.php
summary: upb allow to any user have access levels 3 (to have admin premissions)
exploit: yes
Fix: yes
Exploited by Hipik__ memmbers of www.hackeri.org Bosnians Security Portal
email:hipik@mail.ru
__________________
I have been registred user 'Hipik__' and I have memmbes permissions.
After that I Log on UPB Forum and I run the following URL:
http://www.example.com/admin_members.php
and I can put myself Admin permissions.
And that is it. I can cange evrythin on page.
Also if you don't have admin permissions you can go on followinf URL:
http://www.example.com/admin_config.php
and you can manipulet UPB forum Title bar Name color or you can go on following URL:
http://www.example.com/admin_cat.php
and you can manipulete Forum Category or if you wan delete forums whitout Admin
permissions go on following URL:
http://www.example.com/admin_forum.php
_________________________
Exploit:
Register on UPB Forum and Log on then go on one of the following URL:
http://www.example.com/admin_members.php
http://www.example.com/admin_config.php
http://www.example.com/admin_cat.php
http://www.example.com/admin_forum.php
_________________________
Vulnerable code:
in files admin_members.php, admin_config.php, admin_cat.php, admin_forum.php
and other admin_ files contains this line code:
if(is_logged_in($user_env, $pass_env, $power_env, $id_env)) {
This line of code don't check does user have Admin premissions. Just check does is he Log on.
_________________________
Solution:
This line of code in files admin_members.php, admin_config.php, admin_cat.php, admin_forum.php
and other admin_ files:
if(is_logged_in($user_env, $pass_env, $power_env, $id_env)) {
Change with this line of code:
if(is_logged_in($user_env, $pass_env, $power_env, $id_env) && $power_env == 3) {
________________________
NickName: Hipik__
E-mail: hipik@mail.ru
URL: http://www.hackeri.org
IRC Server: irc.dal.net Channel:#hackeri
The beast Security group in Bosnia
--------------------------------------------------------------
Sory for my pour English :(