[13865] in bugtraq
Re: perl-cgi hole in UltimateBB by Infopop Corp.
daemon@ATHENA.MIT.EDU (Charles Capps)
Thu Feb 17 01:50:03 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <032201bf7805$dd293c60$0200a8c0@garlic.com>
Date: Tue, 15 Feb 2000 14:41:49 -0800
Reply-To: Charles Capps <capps@SOLARECLIPSE.NET>
From: Charles Capps <capps@SOLARECLIPSE.NET>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
For the record, the latest versions of the UBB (Freeware version '2000', and
a new release of licensed version 5.43d) contain fixes for this bug as of
yesterday. The fix has also been posted in this thread:
http://www.scriptkeeper.com/ubb/Forum16/HTML/000814.html
--
Charles Capps
----- Original Message -----
From: H D Moore <secure@SECUREAUSTIN.COM>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Monday, February 14, 2000 12:26 PM
Subject: Re: [BUGTRAQ] perl-cgi hole in UltimateBB by Infopop Corp.
> Hi,
>
> I am the administrator for a site running the commercial version of UBB,
> the problem exists there as well. The faulty code is in ubb_library.pl:
>
> if ($ThreadFile =~ /\d\d\.[m|n|ubb|cgi]/) {
>
> I don't actually know the original line number, as we hacked up our copy
> to use MD5 password hashes versus clear-text and added many new
> logging/security features to curb abuse. Since all of the modifications
> to the code were paid for by my client, I may not be able to release
> them to the public...
>
> -HD
>
> "Sergei A. Golubchik" wrote:
> >
> > Hello.
> > Browsing some site, I found that their forums were based not on home-
> > made scripts, but rather commercial software product. Hey, said I to
> > myself, remember those story about pcweek hack ? They use commercial
> > package photoads. Let's look what that Ultimate Bulletin Board by
> > Infopop is.
> >
> > I grabbed freeware version from http://www.ultimatebb.com and
> > after 10-minutes grepping found those lines:
> >
> > ubb_library.pl:901-902
> > if ($ThreadFile =~ /\d\d\d\d\d\d\.ubb/) {
> > open (MESSAGE, "$ForumsPath/Forum$number/$ThreadFile");
> >
> > (notice? not /^\d\d\d\d\d\d\.ubb$/. What did the author think about
while
> > writing it ? Girls ?)
> >
> > And the $ThreadFile takes its value directly from the hidden (hmm!)
> > field `topic'.
>
