[VIM] CONFIRM: JaxUltraBB PHP/HTML/webscript injection

Heinbockel, Bill heinbockel at mitre.org
Tue Oct 24 16:40:46 EDT 2006


JaxUltraBB <= 2.0 (delete.php) Defaced Exploit
http://www.milw0rm.com/exploits/2616
XF:jaxultrabb-delete-file-include(29711)
BID:20679

In the delete.php file in JUBB 2.0 (lines 22-38):

    $forum = $_GET['forum'];

    $topicsfile = file_get_contents("topics/$forum"."topics.JaxSQL");
    $topics = explode("{TOPIC}", $topicsfile);
    foreach ($topics as $topic) {
        if ($topic != "") {
            if ($topic == $topicpulled) { // topic is the desired one
to delete
                //just sit here...
            } else {
                $contents = $contents . "{TOPIC}" . $topic;
            }
        }
    }

    $openfile = fopen("topics/".$forum."topics.JaxSQL", "w");
    fwrite($openfile, $contents);
    fclose($openfile);


$contents is not defined before being used on line 31, when building up
a concatenation of lines from the $forum file to "delete" the
to-be-deleted
topic. In the exploit:

delete.php?modtype=%3Cimg%20src=img/admin.jpg%3E&forum=../index.php%00&
contents=[XSS]

The modtype passed an "attempting hacking" check, while the forum
specifies the
"topics" file (this is vulnerable to directory traversal, but only file
modification
can occur in conjunction with the code injection). End result: whatever
the value
of the $contents variable is initially is prepended to the $forum file.


William Heinbockel
Infosec Engineer
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org
781-271-2615


More information about the VIM mailing list