For the record, the latest versions of the UBB (Freeware version '2000', and a new release of licensed version 5.43d) contain fixes for this bug as of yesterday. The fix has also been posted in this thread: http://www.scriptkeeper.com/ubb/Forum16/HTML/000814.html -- Charles Capps ----- Original Message ----- From: H D Moore <secureat_private> To: <BUGTRAQat_private> Sent: Monday, February 14, 2000 12:26 PM Subject: Re: [BUGTRAQ] perl-cgi hole in UltimateBB by Infopop Corp. > Hi, > > I am the administrator for a site running the commercial version of UBB, > the problem exists there as well. The faulty code is in ubb_library.pl: > > if ($ThreadFile =~ /\d\d\.[m|n|ubb|cgi]/) { > > I don't actually know the original line number, as we hacked up our copy > to use MD5 password hashes versus clear-text and added many new > logging/security features to curb abuse. Since all of the modifications > to the code were paid for by my client, I may not be able to release > them to the public... > > -HD > > "Sergei A. Golubchik" wrote: > > > > Hello. > > Browsing some site, I found that their forums were based not on home- > > made scripts, but rather commercial software product. Hey, said I to > > myself, remember those story about pcweek hack ? They use commercial > > package photoads. Let's look what that Ultimate Bulletin Board by > > Infopop is. > > > > I grabbed freeware version from http://www.ultimatebb.com and > > after 10-minutes grepping found those lines: > > > > ubb_library.pl:901-902 > > if ($ThreadFile =~ /\d\d\d\d\d\d\.ubb/) { > > open (MESSAGE, "$ForumsPath/Forum$number/$ThreadFile"); > > > > (notice? not /^\d\d\d\d\d\d\.ubb$/. What did the author think about while > > writing it ? Girls ?) > > > > And the $ThreadFile takes its value directly from the hidden (hmm!) > > field `topic'. >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:35:18 PDT