Bugtraq mailing list archives
wwwboard.pl vulnerability
From: bugtraq () ANKH SAMIAM ORG (bugtraq)
Date: Thu, 3 Sep 1998 13:37:06 -0700
Hello, The commonly used wwwboard.pl program, available for free from www.worldwidemart.com, is a suite that appears to not have security as a serious consideration in its design. Not only does the default location of passwords in the wwwadmin.pl program allow anyone on the internet to perform dictionary attacks on the board admin's password, there is another, more subtle DOS attack. There is no input checking done on the list of articles which a given article is a followup to. This allows us to give it invalid input such that we can clobber files that the web server has write permissions to. For example, this HTML snippit, when read by Netscape (and the button is pushed), will clobber articles 1 to 5 on the wwwboard at some.poor.host. <form method=POST action="http://some.poor.host/cgi-bin/wwwboard.pl"> <input type=hidden name="followup" value="1,2,3,4,5,|.|"> <input type=submit value="Clobber web board"> </form> The included patch patches wwwboard.pl against this attack. I notified the arthur, matt () worldwidemart com of this problem over a week ago, but have not gotten a response from him. I should mention that wwwboard.pl also does not log the IP that posts a given message to the board.
# looking at the apache 1.2.5 source code i found # that there was no limit on how many mime headers could # be included in a client request. The only limits # are : 8192 byte for each header, 300 sec. on reading headers.
On another topic, this posted attack against Apache using an arbitrary number of different headers does not work against servers with Ben's recent Sioux patch. - Sam Patch for wwwboard.pl (which requires perl5 to run) follows: *** wwwboard.patch.pl Thu Sep 3 13:14:46 1998 --- wwwboard.pl Thu Sep 3 13:17:47 1998 *************** *** 1,4 **** ! #!/usr/local/bin/perl ############################################################################## # WWWBoard Version 2.0 ALPHA 2 # # Copyright 1996 Matt Wright mattw () worldwidemart com # --- 1,4 ---- ! #!/usr/local/bin/perl -T ############################################################################## # WWWBoard Version 2.0 ALPHA 2 # # Copyright 1996 Matt Wright mattw () worldwidemart com # *************** *** 82,88 **** sub get_number { open(NUMBER,"$basedir/$datafile"); ! $num = <NUMBER>; close(NUMBER); if ($num == 99999) { $num = "1"; --- 82,90 ---- sub get_number { open(NUMBER,"$basedir/$datafile"); ! my($n) = <NUMBER>; ! $n =~ /(\d+)/; ! $num = $1; close(NUMBER); if ($num == 99999) { $num = "1"; *************** *** 132,138 **** if ($FORM{'followup'}) { $followup = "1"; ! @followup_num = split(/,/,$FORM{'followup'}); $num_followups = @followups = @followup_num; $last_message = pop(@followups); $origdate = "$FORM{'origdate'}"; --- 134,146 ---- if ($FORM{'followup'}) { $followup = "1"; ! my($item); ! my(@list) = split(/,/,$FORM{'followup'}); ! @followup_num = (); ! foreach $item (@list) { ! $item =~ /(\d+)/; ! push(@followup_num,$1); ! } $num_followups = @followups = @followup_num; $last_message = pop(@followups); $origdate = "$FORM{'origdate'}";
Current thread:
- Re: Security Hole in Axent ESM Jeffrey Hutzelman (Aug 31)
- Re: Security Hole in Axent ESM Caskey L. Dickson (Sep 01)
- Re: Security Hole in Axent ESM Taral (Sep 02)
- Re: Security Hole in Axent ESM Patrick (Sep 02)
- Borderware predictable initial TCP racer-x () ALTAVISTA NET (Sep 02)
- Re: Borderware predictable initial TCP Aggelos P. Varvitsiotis (Sep 03)
- Web servers / possible DOS Attack / mime header flooding Laurent FACQ (Sep 03)
- Re: Web servers / possible DOS Attack / mime header flooding Vanja Hrustic (Sep 03)
- wwwboard.pl vulnerability bugtraq (Sep 03)
- Re: Web servers / possible DOS Attack / mime header flooding Rich Wood (Sep 03)
- Re: Web servers / possible DOS Attack / mime header flooding Daniel Leeds (Sep 03)
- Re: Web servers / possible DOS Attack / mime header flooding Lars Eilebrecht (Sep 03)
- Re: Security Hole in Axent ESM Taral (Sep 02)
- Fwd: [ISN] Another BO detector that is actually a trojan Reuben Yau (Sep 03)
- Security Bulletins Digest (fwd) Piotr Strzy¿ewski (Sep 03)
- Back Orifice detection and removal The Late Ian Angles (Sep 03)
- Re: Security Hole in Axent ESM Caskey L. Dickson (Sep 01)
- Cisco Security Notice: PIX Firewall Manager File Exposure psirt () CISCO COM (Sep 02)
- <Possible follow-ups>
- Re: Security Hole in Axent ESM Jim Dennis (Sep 03)
- Re: Security Hole in Axent ESM dcupp () SNAKEBITE COM (Sep 24)