Date: Fri, 12 Jan 2001 09:40:53 +0900 From: JW Oh <mat@IVNTECH.COM> Subject: UltraBoard cgi directory permission problem To: BUGTRAQ@SECURITYFOCUS.COM Hacksware Bug Report 1. Name: UltraBoard cgi directory permission problem 2. Release Date: 2001.1.12 3. Affected Application: UltraBoard 2000 Personal Edition Version 2.11 http://www.ub2k.com/downloads/UB211PEB1.zip 4. Author: mat@hacksware.com 5. Type: Configuration Error 6. Explanation In default installation, following Directories below ub2k cgi installtion directory have 777 permission. ./Private/Skins ./Private/Database ./Private/Backups You can add some cgi scripts to theses directories and can gain webserver uid. 7. Exploits Refer to Explation. 8. Solution chmod 755 `find <ub2k cgi directory> -perm 777` ub2k cgi directory: the directory where you installed ub2k cgi files. ================================================= | mat@hacksware.com | | http://hacksware.com | =================================================