Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Patches for wwwboard.pl (Was: Re: wwwboard.pl vulnerability)
From: David.Boynton () PENTAGON AF MIL (Boynton, David, SSgt, AFPOA/DPSM)
Date: Thu, 8 Oct 1998 13:13:18 -0400

Since the referer information comes from the remote client, that doesn't
prevent malicious destruction.  Anyone with netcat or telnet could forge the
referer field. It requires a little more expertise, but not much.

-----Original Message-----
From: Ken Williams [SMTP:jkwilli2 () UNITY NCSU EDU]
Sent: Wednesday, October 07, 1998 12:39 PM
Subject:      Patches for wwwboard.pl (Was: Re: wwwboard.pl vulnerability)

On Thu, 3 Sep 1998, bugtraq wrote:

| Date: Thu, 3 Sep 1998 13:37:06 -0700
| From: bugtraq <bugtraq () ANKH SAMIAM ORG>
| To: BUGTRAQ () netspace org
| Subject: wwwboard.pl vulnerability
| Hello,
| The commonly used wwwboard.pl program, available for free from
| www.worldwidemart.com, is a suite that appears to not have security as
| serious consideration in its design.  Not only does the default
| of passwords in the wwwadmin.pl program allow anyone on the internet to
| perform dictionary attacks on the board admin's password, there is
| another, more subtle DOS attack.


Simple solution that has worked fine for me is to not use the wwwadmin.pl
script at all.  Don't install it and use vi to edit instead.

| There is no input checking done on the list of articles which a given
| article is a followup to.  This allows us to give it invalid input such
| that we can clobber files that the web server has write permissions to.
| For example, this HTML snippit, when read by Netscape (and the button
| pushed), will clobber articles 1 to 5 on the wwwboard at
| <form method=POST action="http://some.poor.host/cgi-bin/wwwboard.pl";>
| <input type=hidden name="followup" value="1,2,3,4,5,|.|">
| <input type=submit value="Clobber web board">
| </form>
| The included patch patches wwwboard.pl against this attack.

A better and much simpler solution is to simply rip the &check_url
subroutine from Matt Wright's FormMail.pl script and use that instead.
Not only does it fix this security hole, but it also solves any other
problems or worries associated with remote execution of the wwwboard.pl

----------begin patch----------
Patch (ripped directly from Matt Wright's ForMail.pl)

In the "Define Variables" section add:
# security fix for post deletion
# check http://worldwidemart.com/scripts/ for more details
@referers = ('www.ncsu.edu','');

In the section that calls the subroutines right after "Configure Options"
add the following:
# Check Referring URL - remote post security fix

At the beginning of the subroutines, add the following:
# security fix for remote post deletion
sub check_url {

    # Localize the check_referer flag which determines if user is valid.
    local($check_referer) = 0;

    # If a referring URL was specified, for each valid referer, make sure
    # that a valid referring URL was passed to FormMail.

    if ($ENV{'HTTP_REFERER'}) {
        foreach $referer (@referers) {
            if ($ENV{'HTTP_REFERER'} =~ m|https?://([^/]*)$referer|i) {
                $check_referer = 1;
    else {
        $check_referer = 1;

    # If the HTTP_REFERER was invalid, send back an error.
    if ($check_referer != 1) { &error('bad_referer') }

In the "error" subroutine, add the following, or roll your own:
# error message to print out to ppl trying to delete posts via patched
remote post exploit
   elsif ($error eq 'bad_referer') {
      print "<html><head><title>Nice try, script kiddy</title></head>\n";
      print "<body>Nice try, script kiddy.  No posting from remote
----------end patch----------

| I notified the arthur, matt () worldwidemart com of this problem over a
| ago, but have not gotten a response from him.
| I should mention that wwwboard.pl also does not log the IP that posts a
| given message to the board.

Why not just write the IP to the HTML documents created?

Quick Patch

Add this in the "Define Variables" section:
$ipaddy = $ENV{'REMOTE_ADDR'};

Then, just tack it $ipaddy on after all instances of $name in the new_file

[snipped Apache stuff]

| - Sam

[snipped original patch]

Added Bonus Patch

Hate the Blink tag?  Try this:

-----patch to LART blink tag users-----
In the "Configure Options" section, add this:
$allow_blink_tag = 0;   # 1 = YES; 0 = NO

Inside the "Parse Form Subroutine", add this:
# Nate Johnson <nsj () ncsu edu> codes perl regex's in his sleep
      if ($allow_blink_tag == 0) {
         $value =~ s@(<|&lt;?)\s?/?blink(>|&gt;?)@<font size=7 color=pink>
         I Can't even hack a blink tag on this wwwboard!<\/font>@gi;

In case I wasn't clear enough, or if you just want to see what a
mess my own wwwboard.pl script is, go to
to check out the source code for my implementation of wwwboard.pl
at http://www.genocide2600.com/~tattooman/wwwboard/wwwboard.html


Ken Williams

Packet Storm Security http://www.Genocide2600.com/~tattooman/index.shtml
E.H.A.P. Corporation  http://www.ehap.org/  ehap () ehap org info () ehap org
NCSU Comp Sci Dept    http://www.csc.ncsu.edu/ jkwilli2 () adm csc ncsu edu
PGP DSS/DH/RSA Keys   http://www4.ncsu.edu/~jkwilli2/pgpkey/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]