Since the referer information comes from the remote client, that doesn't prevent malicious destruction. Anyone with netcat or telnet could forge the referer field. It requires a little more expertise, but not much. > -----Original Message----- > From: Ken Williams [SMTP:jkwilli2at_private] > Sent: Wednesday, October 07, 1998 12:39 PM > To: BUGTRAQat_private > Subject: Patches for wwwboard.pl (Was: Re: wwwboard.pl vulnerability) > > On Thu, 3 Sep 1998, bugtraq wrote: > > >| Date: Thu, 3 Sep 1998 13:37:06 -0700 > >| From: bugtraq <bugtraqat_private> > >| To: BUGTRAQat_private > >| Subject: wwwboard.pl vulnerability > >| > >| Hello, > >| > >| The commonly used wwwboard.pl program, available for free from > >| www.worldwidemart.com, is a suite that appears to not have security as > a > >| serious consideration in its design. Not only does the default > location > >| of passwords in the wwwadmin.pl program allow anyone on the internet to > >| perform dictionary attacks on the board admin's password, there is > >| another, more subtle DOS attack. > > Hello, > > Simple solution that has worked fine for me is to not use the wwwadmin.pl > script at all. Don't install it and use vi to edit instead. > > >| There is no input checking done on the list of articles which a given > >| article is a followup to. This allows us to give it invalid input such > >| that we can clobber files that the web server has write permissions to. > >| > >| For example, this HTML snippit, when read by Netscape (and the button > is > >| pushed), will clobber articles 1 to 5 on the wwwboard at > some.poor.host. > >| > >| <form method=POST action="http://some.poor.host/cgi-bin/wwwboard.pl"> > >| <input type=hidden name="followup" value="1,2,3,4,5,|.|"> > >| <input type=submit value="Clobber web board"> > >| </form> > >| > >| The included patch patches wwwboard.pl against this attack. > > A better and much simpler solution is to simply rip the &check_url > subroutine from Matt Wright's FormMail.pl script and use that instead. > Not only does it fix this security hole, but it also solves any other > problems or worries associated with remote execution of the wwwboard.pl > script. > > ----------begin patch---------- > Patch (ripped directly from Matt Wright's ForMail.pl) > ----------------------------------------------------- > > In the "Define Variables" section add: > ----- > # security fix for post deletion > # check http://worldwidemart.com/scripts/ for more details > @referers = ('www.ncsu.edu','152.1.2.244'); > ----- > > In the section that calls the subroutines right after "Configure Options" > add the following: > ----- > # Check Referring URL - remote post security fix > &check_url; > ----- > > At the beginning of the subroutines, add the following: > ----- > # security fix for remote post deletion > sub check_url { > > # Localize the check_referer flag which determines if user is valid. > # > local($check_referer) = 0; > > # If a referring URL was specified, for each valid referer, make sure > # > # that a valid referring URL was passed to FormMail. > # > > if ($ENV{'HTTP_REFERER'}) { > foreach $referer (@referers) { > if ($ENV{'HTTP_REFERER'} =~ m|https?://([^/]*)$referer|i) { > $check_referer = 1; > last; > } > } > } > else { > $check_referer = 1; > } > > # If the HTTP_REFERER was invalid, send back an error. > # > if ($check_referer != 1) { &error('bad_referer') } > } > ----- > > In the "error" subroutine, add the following, or roll your own: > ----- > # error message to print out to ppl trying to delete posts via patched > remote post exploit > elsif ($error eq 'bad_referer') { > print "<html><head><title>Nice try, script kiddy</title></head>\n"; > print "<body>Nice try, script kiddy. No posting from remote > URLs.</body></html>\n"; > exit; > } > ----- > ----------end patch---------- > > >| I notified the arthur, mattat_private of this problem over a > week > >| ago, but have not gotten a response from him. > >| > >| I should mention that wwwboard.pl also does not log the IP that posts a > >| given message to the board. > > Why not just write the IP to the HTML documents created? > > Quick Patch > ----------- > > Add this in the "Define Variables" section: > $ipaddy = $ENV{'REMOTE_ADDR'}; > > Then, just tack it $ipaddy on after all instances of $name in the new_file > subroutine. > > [snipped Apache stuff] > > >| - Sam > > [snipped original patch] > > > Added Bonus Patch > ----------------- > > Hate the Blink tag? Try this: > > -----patch to LART blink tag users----- > In the "Configure Options" section, add this: > ----- > $allow_blink_tag = 0; # 1 = YES; 0 = NO > ----- > > Inside the "Parse Form Subroutine", add this: > ----- > # Nate Johnson <nsjat_private> codes perl regex's in his sleep > if ($allow_blink_tag == 0) { > $value =~ s@(<|<?)\s?/?blink(>|>?)@<font size=7 color=pink> > I Can't even hack a blink tag on this wwwboard!<\/font>@gi; > } > ----- > --------------------------------------- > > In case I wasn't clear enough, or if you just want to see what a > mess my own wwwboard.pl script is, go to > http://www.genocide2600.com/~tattooman/wwwboard/wwwboard.pl > to check out the source code for my implementation of wwwboard.pl > at http://www.genocide2600.com/~tattooman/wwwboard/wwwboard.html > > > Regards, > > Ken Williams > > Packet Storm Security http://www.Genocide2600.com/~tattooman/index.shtml > E.H.A.P. Corporation http://www.ehap.org/ ehapat_private infoat_private > NCSU Comp Sci Dept http://www.csc.ncsu.edu/ jkwilli2at_private > PGP DSS/DH/RSA Keys http://www4.ncsu.edu/~jkwilli2/pgpkey/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:18:57 PDT