Bugtraq mailing list archives

Ultimate Bulletin Board v5.3x? Bug

From: sean () EMAX COM AU (Sean Malloy)
Date: Tue, 30 Nov 1999 11:08:29 +1100


Hi,

I'm just a reader of this list, I don't really know the protocols to posting
a message to the list, so oh well.. I'm also not  sure if this problem has
been posted before, but I did a search through the archives and couldn't
spot it.

There seems to be a bug with the UBB under NT. I don't believe Unix users of
the UBB are faced with the same problem. Ofcourse it could be the version of
ActivePerl, combined with the bug in the board, but anyways...

By default, Member files are stored in the /cgi-bin/Members directory. The
members files are stored as numbers, with a .cgi extension, eg: 00000001.cgi

Under unix, if you put in http://www.url.blah/cgi-bin/Members/00000001.cgi,
the server will return a 500 error, however, under NT with ActivePerl (v5.07
I believe?), it will return something like this:

CGI Error
The specified CGI application misbehaved by not returning a complete set of
HTTP headers. The headers it did return are:
Number found where operator expected at
D:\CONTENT\wwwroot\data\ubb\Members\00000001.cgi line 2, near "Malby
1"
        (Missing semicolon on previous line?)
syntax error at D:\CONTENT\wwwroot\data\ubb\Members\00000001.cgi line 2,
near "Malby
1"
Bareword found where operator expected at
D:\CONTENT\wwwroot\data\ubb\Members\00000001.cgi line 2, near "mypass"
        (Missing operator before malby2?)
Bareword found where operator expected at
D:\CONTENT\wwwroot\data\ubb\Members\00000001.cgi line 4, near "//www"
        (Missing operator before www?)
Semicolon seems to be missing at
D:\CONTENT\wwwroot\data\ubb\Members\00000001.cgi line 6.
Number found where operator expected at D:\CONTE

yay for UBB handing out my password (line 2) to anyone who wants to read it.
This does not work on every data file, I think it depends on wether the
username has spaces in it, etc. However, it creates a very large hole. You
just need to get one of the administrators data files, and as you could
imagine, all hell would break loose.

I've seen posts before, that the UBB isn't exactly safe (heh ;P), so heres
another problem with it.

The people at Infopop/Madronapark (very nice folks), offer a "Example Sites"
list, a listing of users with UBB (Theres a lot of them), so now you have a
big list of would be victims. Someone can go through, and test each board.
I'd guarentee that about 40% of the boards are run under NT, and that most
of them use the default /Members/ directory

How to fix? change the members path to something more like
xvc83nx9wy4nd0w74m3. That will solve it

Sorry for ranting

Regards,

Sean

Current thread:

Ultimate Bulletin Board v5.3x? Bug Sean Malloy (Nov 29)
- <Possible follow-ups>
- Re: Ultimate Bulletin Board v5.3x? Bug William Daskaluk (Nov 30)