[VIM] CONFIRM: JaxUltraBB PHP/HTML/webscript injection
Heinbockel, Bill
heinbockel at mitre.org
Tue Oct 24 16:40:46 EDT 2006
JaxUltraBB <= 2.0 (delete.php) Defaced Exploit
http://www.milw0rm.com/exploits/2616
XF:jaxultrabb-delete-file-include(29711)
BID:20679
In the delete.php file in JUBB 2.0 (lines 22-38):
$forum = $_GET['forum'];
$topicsfile = file_get_contents("topics/$forum"."topics.JaxSQL");
$topics = explode("{TOPIC}", $topicsfile);
foreach ($topics as $topic) {
if ($topic != "") {
if ($topic == $topicpulled) { // topic is the desired one
to delete
//just sit here...
} else {
$contents = $contents . "{TOPIC}" . $topic;
}
}
}
$openfile = fopen("topics/".$forum."topics.JaxSQL", "w");
fwrite($openfile, $contents);
fclose($openfile);
$contents is not defined before being used on line 31, when building up
a concatenation of lines from the $forum file to "delete" the
to-be-deleted
topic. In the exploit:
delete.php?modtype=%3Cimg%20src=img/admin.jpg%3E&forum=../index.php%00&
contents=[XSS]
The modtype passed an "attempting hacking" check, while the forum
specifies the
"topics" file (this is vulnerable to directory traversal, but only file
modification
can occur in conjunction with the code injection). End result: whatever
the value
of the $contents variable is initially is prepended to the $forum file.
William Heinbockel
Infosec Engineer
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org
781-271-2615
More information about the VIM
mailing list