Hello, The commonly used wwwboard.pl program, available for free from www.worldwidemart.com, is a suite that appears to not have security as a serious consideration in its design. Not only does the default location of passwords in the wwwadmin.pl program allow anyone on the internet to perform dictionary attacks on the board admin's password, there is another, more subtle DOS attack. There is no input checking done on the list of articles which a given article is a followup to. This allows us to give it invalid input such that we can clobber files that the web server has write permissions to. For example, this HTML snippit, when read by Netscape (and the button is pushed), will clobber articles 1 to 5 on the wwwboard at some.poor.host. <form method=POST action="http://some.poor.host/cgi-bin/wwwboard.pl"> <input type=hidden name="followup" value="1,2,3,4,5,|.|"> <input type=submit value="Clobber web board"> </form> The included patch patches wwwboard.pl against this attack. I notified the arthur, mattat_private of this problem over a week ago, but have not gotten a response from him. I should mention that wwwboard.pl also does not log the IP that posts a given message to the board. > # looking at the apache 1.2.5 source code i found > # that there was no limit on how many mime headers could > # be included in a client request. The only limits > # are : 8192 byte for each header, 300 sec. on reading headers. On another topic, this posted attack against Apache using an arbitrary number of different headers does not work against servers with Ben's recent Sioux patch. - Sam Patch for wwwboard.pl (which requires perl5 to run) follows: *** wwwboard.patch.pl Thu Sep 3 13:14:46 1998 --- wwwboard.pl Thu Sep 3 13:17:47 1998 *************** *** 1,4 **** ! #!/usr/local/bin/perl ############################################################################## # WWWBoard Version 2.0 ALPHA 2 # # Copyright 1996 Matt Wright mattwat_private # --- 1,4 ---- ! #!/usr/local/bin/perl -T ############################################################################## # WWWBoard Version 2.0 ALPHA 2 # # Copyright 1996 Matt Wright mattwat_private # *************** *** 82,88 **** sub get_number { open(NUMBER,"$basedir/$datafile"); ! $num = <NUMBER>; close(NUMBER); if ($num == 99999) { $num = "1"; --- 82,90 ---- sub get_number { open(NUMBER,"$basedir/$datafile"); ! my($n) = <NUMBER>; ! $n =~ /(\d+)/; ! $num = $1; close(NUMBER); if ($num == 99999) { $num = "1"; *************** *** 132,138 **** if ($FORM{'followup'}) { $followup = "1"; ! @followup_num = split(/,/,$FORM{'followup'}); $num_followups = @followups = @followup_num; $last_message = pop(@followups); $origdate = "$FORM{'origdate'}"; --- 134,146 ---- if ($FORM{'followup'}) { $followup = "1"; ! my($item); ! my(@list) = split(/,/,$FORM{'followup'}); ! @followup_num = (); ! foreach $item (@list) { ! $item =~ /(\d+)/; ! push(@followup_num,$1); ! } $num_followups = @followups = @followup_num; $last_message = pop(@followups); $origdate = "$FORM{'origdate'}";
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:14:53 PDT