COMMAND

    bbs_forum.cgi

SYSTEMS AFFECTED

    bbs_forum.cgi 1.0 (Others unknown)

PROBLEM

    Following is based on a Cgi Security Advisory #3.1.  Any file  can
    be  read  with  the  permissions  of  user  nobody(or  webserver).
    Possible  root  comprimise   in  bbs_forum.cgi  script.    Command
    execution is  allowed and  therefore shell  spawning is  possible.
    This has  been tested  on unix  and linux  systems only  and it is
    unknown if windows versions exist and/or are effected.

    One thing to be  noted about this hole  is that perl was  in taint
    mode,  and  still  allowed  files  to  be read, and commands to be
    executed.  This was not  originally intended.  This is  proof that
    perl -t is not always enough.

    Example:

        www.host.com/cgi-bin/bbs_forum.cgi?forum=<valid forum name>&read=../bbs_forum.cgi

    Will grab  the scripts  own sourcecode.   Note: In  order for this
    hole to work a valid forum name must be used, so simply trying  to
    call read= only may not work.

    Here are some clarification to the remote execution versus  remote
    file reading portion of the advisory:
    1) Very  old versions  of bbs_forum.cgi  suffered from  ability to
       execute commands through lack of input handling.

       This was  fixed several  years ago  two-fold: (1)  adding taint
       mode and (2) tightening perl's open() commands so that the file
       operator (eg <) were  included literally instead of  relying on
       the default open operator being "open for read".

       Part  of   this  advisory   was  written   from  testing   this
       pre-taintmode version of the script.

    2) However, taintmode does not check user input for reading files.
       So a directory traversal/arbitrary file reading bug remained in
       the read parameter when used in conjunction with several  other
       input parameters as stated below.

    In  summary,  those  people  running  a  version  of bbs_forum.cgi
    without  taintmode  are  running  a  really old version and should
    upgrade completely as they've ignored our prior security alerts.

    Those  people  who  do  have  taintmode  enabled in the script can
    safely assume the patch below is the only patch they require.

SOLUTION

    The vendor has been contacted about this serious security problem.
    Please visit the vendor's website for patches and other  important
    information.

    If you have made  extensive modifications to bbs_forum.cgi  and do
    not wish to start  over from scratch, search  for the line at  the
    start of bbs_forum.cgi that says

                      &ReadParse;

    And insert afterwards the following:

                      if ($in{'read'} && $in{'read'} !~ /^\d+-\d+\.msg$/i)
{
                          print "Invalid Message #";
                          die("Invalid Message # provided: " .
                                  $in{'read'});
                      }
                      if ($in{'reply_to_message'} &&
$in{'reply_to_message'} !~ /^\d+-\d+\.msg$/i) {
                          print "Invalid Reply To Message #";
                          die("Invalid Reply To Message # provided: " .
                                  $in{'reply_to_message'});
                      }

    This code assures the script that the message file form  variables
    can only consist of the strict filename format of digits  followed
    by a hyphen followed by some digits followed by the literal string
    ".msg".