[ SOURCE: http://www.secureroot.com/security/advisories/9795496914.html ]

   Hacksware Bug Report



1. Name: UltraBoard cgi directory permission problem

2. Release Date: 2001.1.12

3. Affected Application:

 UltraBoard 2000 Personal Edition

 Version 2.11

 http://www.ub2k.com/downloads/UB211PEB1.zip

4. Author: mat@hacksware.com

5. Type: Configuration Error

6. Explanation

 In default installation, following Directories below ub2k cgi installtion directory have 777 permission.

  ./Private/Skins

  ./Private/Database

  ./Private/Backups

 You can add some cgi scripts to theses directories and can gain webserver uid.

7. Exploits

 Refer to Explation.

8. Solution

 chmod 755 `find <ub2k cgi directory> -perm 777`

  ub2k cgi directory: the directory where you installed ub2k cgi files.



=================================================

|               mat@hacksware.com               |

|             http://hacksware.com              |

=================================================