Bugtraq mailing list archives
Patches for wwwboard.pl (Was: Re: wwwboard.pl vulnerability)
From: jkwilli2 () UNITY NCSU EDU (Ken Williams)
Date: Wed, 7 Oct 1998 12:38:59 -0400
On Thu, 3 Sep 1998, bugtraq wrote:
| Date: Thu, 3 Sep 1998 13:37:06 -0700 | From: bugtraq <bugtraq () ANKH SAMIAM ORG> | To: BUGTRAQ () netspace org | Subject: wwwboard.pl vulnerability | | Hello, | | The commonly used wwwboard.pl program, available for free from | www.worldwidemart.com, is a suite that appears to not have security as a | serious consideration in its design. Not only does the default location | of passwords in the wwwadmin.pl program allow anyone on the internet to | perform dictionary attacks on the board admin's password, there is | another, more subtle DOS attack.
Hello, Simple solution that has worked fine for me is to not use the wwwadmin.pl script at all. Don't install it and use vi to edit instead.
| There is no input checking done on the list of articles which a given | article is a followup to. This allows us to give it invalid input such | that we can clobber files that the web server has write permissions to. | | For example, this HTML snippit, when read by Netscape (and the button is | pushed), will clobber articles 1 to 5 on the wwwboard at some.poor.host. | | <form method=POST action="http://some.poor.host/cgi-bin/wwwboard.pl"> | <input type=hidden name="followup" value="1,2,3,4,5,|.|"> | <input type=submit value="Clobber web board"> | </form> | | The included patch patches wwwboard.pl against this attack.
A better and much simpler solution is to simply rip the &check_url subroutine from Matt Wright's FormMail.pl script and use that instead. Not only does it fix this security hole, but it also solves any other problems or worries associated with remote execution of the wwwboard.pl script. ----------begin patch---------- Patch (ripped directly from Matt Wright's ForMail.pl) ----------------------------------------------------- In the "Define Variables" section add: ----- # security fix for post deletion # check http://worldwidemart.com/scripts/ for more details @referers = ('www.ncsu.edu','152.1.2.244'); ----- In the section that calls the subroutines right after "Configure Options" add the following: ----- # Check Referring URL - remote post security fix &check_url; ----- At the beginning of the subroutines, add the following: ----- # security fix for remote post deletion sub check_url { # Localize the check_referer flag which determines if user is valid. # local($check_referer) = 0; # If a referring URL was specified, for each valid referer, make sure # # that a valid referring URL was passed to FormMail. # if ($ENV{'HTTP_REFERER'}) { foreach $referer (@referers) { if ($ENV{'HTTP_REFERER'} =~ m|https?://([^/]*)$referer|i) { $check_referer = 1; last; } } } else { $check_referer = 1; } # If the HTTP_REFERER was invalid, send back an error. # if ($check_referer != 1) { &error('bad_referer') } } ----- In the "error" subroutine, add the following, or roll your own: ----- # error message to print out to ppl trying to delete posts via patched remote post exploit elsif ($error eq 'bad_referer') { print "<html><head><title>Nice try, script kiddy</title></head>\n"; print "<body>Nice try, script kiddy. No posting from remote URLs.</body></html>\n"; exit; } ----- ----------end patch----------
| I notified the arthur, matt () worldwidemart com of this problem over a week | ago, but have not gotten a response from him. | | I should mention that wwwboard.pl also does not log the IP that posts a | given message to the board.
Why not just write the IP to the HTML documents created? Quick Patch ----------- Add this in the "Define Variables" section: $ipaddy = $ENV{'REMOTE_ADDR'}; Then, just tack it $ipaddy on after all instances of $name in the new_file subroutine. [snipped Apache stuff]
| - Sam
[snipped original patch] Added Bonus Patch ----------------- Hate the Blink tag? Try this: -----patch to LART blink tag users----- In the "Configure Options" section, add this: ----- $allow_blink_tag = 0; # 1 = YES; 0 = NO ----- Inside the "Parse Form Subroutine", add this: ----- # Nate Johnson <nsj () ncsu edu> codes perl regex's in his sleep if ($allow_blink_tag == 0) { $value =~ s@(<|<?)\s?/?blink(>|>?)@<font size=7 color=pink> I Can't even hack a blink tag on this wwwboard!<\/font>@gi; } ----- --------------------------------------- In case I wasn't clear enough, or if you just want to see what a mess my own wwwboard.pl script is, go to http://www.genocide2600.com/~tattooman/wwwboard/wwwboard.pl to check out the source code for my implementation of wwwboard.pl at http://www.genocide2600.com/~tattooman/wwwboard/wwwboard.html Regards, Ken Williams Packet Storm Security http://www.Genocide2600.com/~tattooman/index.shtml E.H.A.P. Corporation http://www.ehap.org/ ehap () ehap org info () ehap org NCSU Comp Sci Dept http://www.csc.ncsu.edu/ jkwilli2 () adm csc ncsu edu PGP DSS/DH/RSA Keys http://www4.ncsu.edu/~jkwilli2/pgpkey/
Current thread:
- Patches for wwwboard.pl (Was: Re: wwwboard.pl vulnerability) Ken Williams (Oct 07)
- <Possible follow-ups>
- Re: Patches for wwwboard.pl (Was: Re: wwwboard.pl vulnerability) Boynton, David, SSgt, AFPOA/DPSM (Oct 08)
- More Rconsole stuff Chris Brenton (Oct 09)
- Re: More Rconsole stuff Randy Richardson (Oct 12)
- Referer (was Patches for wwwboard.pl) Michael Blythe (Oct 09)
- MacAttack Spikeman (Oct 08)
- Referer (was Patches for wwwboard.pl) Lincoln Stein (Oct 09)
- Re: Referer (was Patches for wwwboard.pl) David Schwartz (Oct 12)
- Re: Referer (was Patches for wwwboard.pl) Lincoln Stein (Oct 13)
- Re: Referer (was Patches for wwwboard.pl) Kevin Littlejohn (Oct 13)
- More Rconsole stuff Chris Brenton (Oct 09)
- CERT Vendor-Initiated Bulletin VB-98.10 - sco.mscreen Aleph One (Oct 13)