Home page logo

bugtraq logo Bugtraq mailing list archives

Re: perl-cgi hole in UltimateBB by Infopop Corp.
From: capps () SOLARECLIPSE NET (Charles Capps)
Date: Tue, 15 Feb 2000 14:41:49 -0800

For the record, the latest versions of the UBB (Freeware version '2000', and
a new release of licensed version 5.43d) contain fixes for this bug as of
yesterday.  The fix has also been posted in this thread:

Charles Capps

----- Original Message -----
From: H D Moore <secure () SECUREAUSTIN COM>
Sent: Monday, February 14, 2000 12:26 PM
Subject: Re: [BUGTRAQ] perl-cgi hole in UltimateBB by Infopop Corp.


I am the administrator for a site running the commercial version of UBB,
the problem exists there as well.  The faulty code is in ubb_library.pl:

if ($ThreadFile =~ /\d\d\.[m|n|ubb|cgi]/) {

I don't actually know the original line number, as we hacked up our copy
to use MD5 password hashes versus clear-text and added many new
logging/security features to curb abuse.  Since all of the modifications
to the code were paid for by my client, I may not be able to release
them to the public...


"Sergei A. Golubchik" wrote:

Browsing some site, I found that their forums were based not on home-
made scripts, but rather commercial software product. Hey, said I to
myself, remember those story about pcweek hack ? They use commercial
package photoads. Let's look what that Ultimate Bulletin Board by
Infopop is.

I grabbed freeware version from http://www.ultimatebb.com and
after 10-minutes grepping found those lines:

          if ($ThreadFile =~ /\d\d\d\d\d\d\.ubb/) {
          open (MESSAGE, "$ForumsPath/Forum$number/$ThreadFile");

(notice? not /^\d\d\d\d\d\d\.ubb$/. What did the author think about
writing it ? Girls ?)

And the $ThreadFile takes its value directly from the hidden (hmm!)
field `topic'.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]