UltraBoard Directory Traversal Vulnerability
BID:1164
Info
UltraBoard Directory Traversal Vulnerability
| Bugtraq ID: | 1164 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | May 03 2000 12:00AM |
| Updated: | May 03 2000 12:00AM |
| Credit: | Posted to bugtraq by Rudi Carell <[email protected]> on May 3, 2000. |
| Vulnerable: |
UltraScripts UltraBoard 1.6 |
| Not Vulnerable: | |
Discussion
UltraBoard Directory Traversal Vulnerability
UltraBoard 1.6 (and possibly all 1.x versions) is vulnerable to a directory traversal attack that will allow any remote browser to download any file that the webserver has read access to. On Windows instalations, the file must reside on the same logical drive as the webroot. In all cases, the filename and relative path from the webroot must be known to the attacker.
This is accomplished through a combination of the '../' string and the usage of a null byte (x00) in the variables passed to the UltraBoard CGI.
UltraBoard 1.6 (and possibly all 1.x versions) is vulnerable to a directory traversal attack that will allow any remote browser to download any file that the webserver has read access to. On Windows instalations, the file must reside on the same logical drive as the webroot. In all cases, the filename and relative path from the webroot must be known to the attacker.
This is accomplished through a combination of the '../' string and the usage of a null byte (x00) in the variables passed to the UltraBoard CGI.
Exploit / POC
UltraBoard Directory Traversal Vulnerability
http: ://target/ultraboard.pl?action=PrintableTopic&Post=../../filename.ext\000
http: ://target/ultraboard.pl?action=PrintableTopic&Post=../../filename.ext\000
Solution / Fix
UltraBoard Directory Traversal Vulnerability
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].