product: Ultimate PHP Board (UPB) version: Public Beta 1.0b !!FIXED vendor: http://www.webrc.ca/php/upb.php summary: upb allow to any user have access levels 3 (to have admin premissions) exploit: yes Fix: yes Exploited by Hipik__ memmbers of www.hackeri.org Bosnians Security Portal email:hipik@mail.ru __________________ I have been registred user 'Hipik__' and I have memmbes permissions. After that I Log on UPB Forum and I run the following URL: http://www.example.com/admin_members.php and I can put myself Admin permissions. And that is it. I can cange evrythin on page. Also if you don't have admin permissions you can go on followinf URL: http://www.example.com/admin_config.php and you can manipulet UPB forum Title bar Name color or you can go on following URL: http://www.example.com/admin_cat.php and you can manipulete Forum Category or if you wan delete forums whitout Admin permissions go on following URL: http://www.example.com/admin_forum.php _________________________ Exploit: Register on UPB Forum and Log on then go on one of the following URL: http://www.example.com/admin_members.php http://www.example.com/admin_config.php http://www.example.com/admin_cat.php http://www.example.com/admin_forum.php _________________________ Vulnerable code: in files admin_members.php, admin_config.php, admin_cat.php, admin_forum.php and other admin_ files contains this line code: if(is_logged_in($user_env, $pass_env, $power_env, $id_env)) { This line of code don't check does user have Admin premissions. Just check does is he Log on. _________________________ Solution: This line of code in files admin_members.php, admin_config.php, admin_cat.php, admin_forum.php and other admin_ files: if(is_logged_in($user_env, $pass_env, $power_env, $id_env)) { Change with this line of code: if(is_logged_in($user_env, $pass_env, $power_env, $id_env) && $power_env == 3) { ________________________ NickName: Hipik__ E-mail: hipik@mail.ru URL: http://www.hackeri.org IRC Server: irc.dal.net Channel:#hackeri The beast Security group in Bosnia -------------------------------------------------------------- Sory for my pour English :(