[12780] in bugtraq
Ultimate Bulletin Board v5.3x? Bug
daemon@ATHENA.MIT.EDU (Sean Malloy)
Tue Nov 30 13:37:20 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <NDBBKKDMKDLNPCBDIMIHGEOICCAA.sean@emax.com.au>
Date: Tue, 30 Nov 1999 11:08:29 +1100
Reply-To: Sean Malloy <sean@EMAX.COM.AU>
From: Sean Malloy <sean@EMAX.COM.AU>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Hi,
I'm just a reader of this list, I don't really know the protocols to posting
a message to the list, so oh well.. I'm also not sure if this problem has
been posted before, but I did a search through the archives and couldn't
spot it.
There seems to be a bug with the UBB under NT. I don't believe Unix users of
the UBB are faced with the same problem. Ofcourse it could be the version of
ActivePerl, combined with the bug in the board, but anyways...
By default, Member files are stored in the /cgi-bin/Members directory. The
members files are stored as numbers, with a .cgi extension, eg: 00000001.cgi
Under unix, if you put in http://www.url.blah/cgi-bin/Members/00000001.cgi,
the server will return a 500 error, however, under NT with ActivePerl (v5.07
I believe?), it will return something like this:
CGI Error
The specified CGI application misbehaved by not returning a complete set of
HTTP headers. The headers it did return are:
Number found where operator expected at
D:\CONTENT\wwwroot\data\ubb\Members\00000001.cgi line 2, near "Malby
1"
(Missing semicolon on previous line?)
syntax error at D:\CONTENT\wwwroot\data\ubb\Members\00000001.cgi line 2,
near "Malby
1"
Bareword found where operator expected at
D:\CONTENT\wwwroot\data\ubb\Members\00000001.cgi line 2, near "mypass"
(Missing operator before malby2?)
Bareword found where operator expected at
D:\CONTENT\wwwroot\data\ubb\Members\00000001.cgi line 4, near "//www"
(Missing operator before www?)
Semicolon seems to be missing at
D:\CONTENT\wwwroot\data\ubb\Members\00000001.cgi line 6.
Number found where operator expected at D:\CONTE
yay for UBB handing out my password (line 2) to anyone who wants to read it.
This does not work on every data file, I think it depends on wether the
username has spaces in it, etc. However, it creates a very large hole. You
just need to get one of the administrators data files, and as you could
imagine, all hell would break loose.
I've seen posts before, that the UBB isn't exactly safe (heh ;P), so heres
another problem with it.
The people at Infopop/Madronapark (very nice folks), offer a "Example Sites"
list, a listing of users with UBB (Theres a lot of them), so now you have a
big list of would be victims. Someone can go through, and test each board.
I'd guarentee that about 40% of the boards are run under NT, and that most
of them use the default /Members/ directory
How to fix? change the members path to something more like
xvc83nx9wy4nd0w74m3. That will solve it
Sorry for ranting
Regards,
Sean
