[13831] in bugtraq
Re: perl-cgi hole in UltimateBB by Infopop Corp.
daemon@ATHENA.MIT.EDU (H D Moore)
Tue Feb 15 13:50:31 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <38A864EC.73659F12@secureaustin.com>
Date: Mon, 14 Feb 2000 14:26:20 -0600
Reply-To: H D Moore <secure@SECUREAUSTIN.COM>
From: H D Moore <secure@SECUREAUSTIN.COM>
X-To: "Sergei A. Golubchik" <serg@INFOMAG.APE.RELARN.RU>
To: BUGTRAQ@SECURITYFOCUS.COM
Hi,
I am the administrator for a site running the commercial version of UBB,
the problem exists there as well. The faulty code is in ubb_library.pl:
if ($ThreadFile =~ /\d\d\.[m|n|ubb|cgi]/) {
I don't actually know the original line number, as we hacked up our copy
to use MD5 password hashes versus clear-text and added many new
logging/security features to curb abuse. Since all of the modifications
to the code were paid for by my client, I may not be able to release
them to the public...
-HD
"Sergei A. Golubchik" wrote:
>
> Hello.
> Browsing some site, I found that their forums were based not on home-
> made scripts, but rather commercial software product. Hey, said I to
> myself, remember those story about pcweek hack ? They use commercial
> package photoads. Let's look what that Ultimate Bulletin Board by
> Infopop is.
>
> I grabbed freeware version from http://www.ultimatebb.com and
> after 10-minutes grepping found those lines:
>
> ubb_library.pl:901-902
> if ($ThreadFile =~ /\d\d\d\d\d\d\.ubb/) {
> open (MESSAGE, "$ForumsPath/Forum$number/$ThreadFile");
>
> (notice? not /^\d\d\d\d\d\d\.ubb$/. What did the author think about while
> writing it ? Girls ?)
>
> And the $ThreadFile takes its value directly from the hidden (hmm!)
> field `topic'.
