[LWN Logo]
[Timeline]
Date:         Fri, 12 Jan 2001 09:40:53 +0900
From: JW Oh <mat@IVNTECH.COM>
Subject:      UltraBoard cgi directory permission problem
To: BUGTRAQ@SECURITYFOCUS.COM

   Hacksware Bug Report

1. Name: UltraBoard cgi directory permission problem
2. Release Date: 2001.1.12
3. Affected Application:
 UltraBoard 2000 Personal Edition
 Version 2.11
 http://www.ub2k.com/downloads/UB211PEB1.zip
4. Author: mat@hacksware.com
5. Type: Configuration Error
6. Explanation
 In default installation, following Directories below ub2k cgi installtion directory have 777 permission.
  ./Private/Skins
  ./Private/Database
  ./Private/Backups
 You can add some cgi scripts to theses directories and can gain webserver uid.
7. Exploits
 Refer to Explation.
8. Solution
 chmod 755 `find <ub2k cgi directory> -perm 777`
  ub2k cgi directory: the directory where you installed ub2k cgi files.

=================================================
|               mat@hacksware.com               |
|             http://hacksware.com              |
=================================================