Bugtraq mailing list archives
Re: perl-cgi hole in UltimateBB by Infopop Corp.
From: wood () KINGSLEY CO ZA (Michael Wood)
Date: Wed, 16 Feb 2000 09:12:06 +0200
Hi On Mon, Feb 14, 2000 at 02:26:20PM -0600, H D Moore wrote:
Hi, I am the administrator for a site running the commercial version of UBB, the problem exists there as well. The faulty code is in ubb_library.pl: if ($ThreadFile =~ /\d\d\.[m|n|ubb|cgi]/) {
Ack! From the perlre manpage: Also remember that "|" is interpreted as a literal within square brackets, so if you write [fee|fie|foe] you're really only matching [feio|]. i.e. the above is equivalent to: if ($ThreadFile =~ /\d{2}\.[mnubcgi|]/) { i.e. it would match "00.m" or "abcabc12.c" or "43.iXXX" or "99.|" etc. [snip]
"Sergei A. Golubchik" wrote:
[snip]
I grabbed freeware version from http://www.ultimatebb.com and after 10-minutes grepping found those lines: ubb_library.pl:901-902 if ($ThreadFile =~ /\d\d\d\d\d\d\.ubb/) { open (MESSAGE, "$ForumsPath/Forum$number/$ThreadFile");
[snip] -- Michael Wood | Tel: +27 21 762 0276 | http://www.kingsley.co.za/ wood () kingsley co za | Fax: +27 21 761 9930 | Kingsley Technologies
Current thread:
- perl-cgi hole in UltimateBB by Infopop Corp. Sergei A. Golubchik (Feb 11)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. H D Moore (Feb 14)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Charles Capps (Feb 15)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Michael Wood (Feb 15)
- Remote Vulnerability in the MMDF SMTP Daemon NAI Labs (Feb 16)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Bill (Feb 14)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Andrew Danforth (Feb 15)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Bill McKinnon (Feb 16)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Brock Sides (Feb 17)
- AUTORUN.INF Vulnerability Eric Stevens (Feb 17)
- Re: AUTORUN.INF Vulnerability Jesper M. Johansson (Feb 18)
- UPDATED: NetBSD Security Advisory 2000-001 Daniel Carosone (Feb 18)
- Re: AUTORUN.INF Vulnerability Nick FitzGerald (Feb 19)
- Re: AUTORUN.INF Vulnerability Valentin Pletzer (Feb 20)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Andrew Danforth (Feb 15)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. H D Moore (Feb 14)