On Thu, 3 Sep 1998, bugtraq wrote: >| Date: Thu, 3 Sep 1998 13:37:06 -0700 >| From: bugtraq <bugtraqat_private> >| To: BUGTRAQat_private >| Subject: wwwboard.pl vulnerability >| >| Hello, >| >| The commonly used wwwboard.pl program, available for free from >| www.worldwidemart.com, is a suite that appears to not have security as a >| serious consideration in its design. Not only does the default location >| of passwords in the wwwadmin.pl program allow anyone on the internet to >| perform dictionary attacks on the board admin's password, there is >| another, more subtle DOS attack. Hello, Simple solution that has worked fine for me is to not use the wwwadmin.pl script at all. Don't install it and use vi to edit instead. >| There is no input checking done on the list of articles which a given >| article is a followup to. This allows us to give it invalid input such >| that we can clobber files that the web server has write permissions to. >| >| For example, this HTML snippit, when read by Netscape (and the button is >| pushed), will clobber articles 1 to 5 on the wwwboard at some.poor.host. >| >| <form method=POST action="http://some.poor.host/cgi-bin/wwwboard.pl"> >| <input type=hidden name="followup" value="1,2,3,4,5,|.|"> >| <input type=submit value="Clobber web board"> >| </form> >| >| The included patch patches wwwboard.pl against this attack. A better and much simpler solution is to simply rip the &check_url subroutine from Matt Wright's FormMail.pl script and use that instead. Not only does it fix this security hole, but it also solves any other problems or worries associated with remote execution of the wwwboard.pl script. ----------begin patch---------- Patch (ripped directly from Matt Wright's ForMail.pl) ----------------------------------------------------- In the "Define Variables" section add: ----- # security fix for post deletion # check http://worldwidemart.com/scripts/ for more details @referers = ('www.ncsu.edu','152.1.2.244'); ----- In the section that calls the subroutines right after "Configure Options" add the following: ----- # Check Referring URL - remote post security fix &check_url; ----- At the beginning of the subroutines, add the following: ----- # security fix for remote post deletion sub check_url { # Localize the check_referer flag which determines if user is valid. # local($check_referer) = 0; # If a referring URL was specified, for each valid referer, make sure # # that a valid referring URL was passed to FormMail. # if ($ENV{'HTTP_REFERER'}) { foreach $referer (@referers) { if ($ENV{'HTTP_REFERER'} =~ m|https?://([^/]*)$referer|i) { $check_referer = 1; last; } } } else { $check_referer = 1; } # If the HTTP_REFERER was invalid, send back an error. # if ($check_referer != 1) { &error('bad_referer') } } ----- In the "error" subroutine, add the following, or roll your own: ----- # error message to print out to ppl trying to delete posts via patched remote post exploit elsif ($error eq 'bad_referer') { print "<html><head><title>Nice try, script kiddy</title></head>\n"; print "<body>Nice try, script kiddy. No posting from remote URLs.</body></html>\n"; exit; } ----- ----------end patch---------- >| I notified the arthur, mattat_private of this problem over a week >| ago, but have not gotten a response from him. >| >| I should mention that wwwboard.pl also does not log the IP that posts a >| given message to the board. Why not just write the IP to the HTML documents created? Quick Patch ----------- Add this in the "Define Variables" section: $ipaddy = $ENV{'REMOTE_ADDR'}; Then, just tack it $ipaddy on after all instances of $name in the new_file subroutine. [snipped Apache stuff] >| - Sam [snipped original patch] Added Bonus Patch ----------------- Hate the Blink tag? Try this: -----patch to LART blink tag users----- In the "Configure Options" section, add this: ----- $allow_blink_tag = 0; # 1 = YES; 0 = NO ----- Inside the "Parse Form Subroutine", add this: ----- # Nate Johnson <nsjat_private> codes perl regex's in his sleep if ($allow_blink_tag == 0) { $value =~ s@(<|<?)\s?/?blink(>|>?)@<font size=7 color=pink> I Can't even hack a blink tag on this wwwboard!<\/font>@gi; } ----- --------------------------------------- In case I wasn't clear enough, or if you just want to see what a mess my own wwwboard.pl script is, go to http://www.genocide2600.com/~tattooman/wwwboard/wwwboard.pl to check out the source code for my implementation of wwwboard.pl at http://www.genocide2600.com/~tattooman/wwwboard/wwwboard.html Regards, Ken Williams Packet Storm Security http://www.Genocide2600.com/~tattooman/index.shtml E.H.A.P. Corporation http://www.ehap.org/ ehapat_private infoat_private NCSU Comp Sci Dept http://www.csc.ncsu.edu/ jkwilli2at_private PGP DSS/DH/RSA Keys http://www4.ncsu.edu/~jkwilli2/pgpkey/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:18:55 PDT