Re: Ultimate Bulletin Board v5.3x? Bug

[rfp () WIRETRIP NET (.rain.forest.puppy.)]

> There seems to be a bug with the UBB under NT

Actually, I would say the bug was a poor choice of extension on UBB's
part.

On NT, you most likely have mapped the .cgi extension to invoke perl to
handle the script; so when you request 000001.cgi, perl is actually
running and trying to read it.  This is actually similar to the %20.pl bug
published, wow, like a year ago?  More than that?  I remember Mr. Cooper
over on his list talking about it.

The reason why Apache/unix gives you a 500 error is lack of the shebang
(#!/path/to/interpreter) line at the beginning, and also because the
script doesn't return proper headers.  If Apache was just as lax as IIS,
you would get the same result.

Granted, since those files contain passwords, they shouldn't even be
readable by the webserver, but it's a catch-22.  And the fact that they
contain plaintext passwords is un-nerving.

> How to fix? change the members path to something more like
> xvc83nx9wy4nd0w74m3.  That will solve it.

Until someone guesses the path.  Security through obscurity.  It won't
hurt, but don't put faith in the "that will solve it" schpeil.

- rain forest puppy