Thread-topic: [SA20353] UBB.threads Cross-Site Scripting and File Inclusion
>
>
> TITLE:
> UBB.threads Cross-Site Scripting and File Inclusion
>
> SECUNIA ADVISORY ID:
> SA20353
>
> VERIFY ADVISORY:
> http://secunia.com/advisories/20353/
>
> CRITICAL:
> Highly critical
>
> IMPACT:
> Cross Site Scripting, System access
>
> WHERE:
> From remote
>
> SOFTWARE:
> UBB.threads 6.x
> http://secunia.com/product/4379/
> UBB.threads 5.x
> http://secunia.com/product/10214/
>
> DESCRIPTION:
> Mustafa Can Bjorn has discovered some vulnerabilities in UBB.threads,
> which can be exploited by malicious people to conduct cross-site
> scripting attacks and compromise a vulnerable system.
>
> 1) Input passed to the "myprefs[language]" parameter in
> includepollresults.php isn't properly verified, before it is used to
> include files. This can be exploited to include arbitrary files from
> local resources.
>
> Successful exploitation requires that "register_globals" is enabled
> and "magic_quotes_gpc" is disabled.
>
> 2) Input passed to the "thispath" parameter in ubbt.inc.php isn't
> properly verified, before it is used to include files. This can be
> exploited to include arbitrary files from external and local
> resources.
>
> Example:
> http://[host]/ubbt.inc.php?GLOBALS[thispath]=[file]
>
> Successful exploitation requires that "register_globals" is enabled,
> and that PHP 5.x or PHP versions prior to 4.1.0 is used.
>
> 3) Input passed to the "debug" parameter in ubbthreads.php and other
> scripts is not properly sanitised before being returned to the user.
> This can be exploited to execute arbitrary HTML and script code in a
> user's browser session on context of an affected site.
>
> The vulnerabilities have been confirmed in version 6.5.1.1 (trial)
> and also reported in version 5.x. Other versions may also be
> affected.
>
> SOLUTION:
> Edit the source code to ensure that input is properly sanitised.
>
> Set "register_globals" to "Off".
>
> PROVIDED AND/OR DISCOVERED BY:
> Mustafa Can Bjorn
>
> ORIGINAL ADVISORY:
> http://www.nukedx.com/?viewdoc=40
>
>