UBB.Developers Forums UBB.classic V6.4 - 6.7 Modifications International Support Sicherheitslücke

Kann mir jemand mehr hierzu sagen und wie man es fixen kann. bzw. versteh ich noch nicht wie es überhaupt geht.

Vulnerability found in UBB 6.0.x and (possible) in UBB 6.1.x
@ SMS
Dec 03 2001, 16:58 (UTC+0)
From: xatmer :
Vulnerability in Ultimate Bulletin Board 6.0.x and maybe 6.1.x.
Any user can receive passwords of others, having taken advantage of function of a reminder of the password (lost password).

Sorry for my terrible English, I use auto-translator on www.translate.ru.
Algorithm the following.
1. We find email any of existing users on a board.
2. Registration the user with same e-mail
3. We change e-mail on necessary to us
4. We use a button to send the password
5. We receive the password not only required user, but also that whose mail any in the beginning.

It is possible to build the whole chains from emails.
And now the reason: the
File ubb_lib_misc.cgi

sub find_lost {

……………………………………..

# get list of registered emails
my @email_list = &OpenFileAsArray("$vars_config{MembersPath}/emailfile.cgi");

#lowercase the input
my $lc_email = lc($in{email});

# find matches
foreach (@email_list) {
($row_email, $row_un) = split(/||/, $_);
$lc_row_email = lc($row_email);
if ($lc_row_email eq "$lc_email") {
chomp($row_un);
push(@matches, $row_un);
}
}

# now we have matches
$match_total = @matches;

……………………………………….

Apparently from a code, function uses file emailfile.cgi for search of users with required e-mail address. File have the following format
email|public-mail|user_number
there is a pass on structures of the found users and sending of the password of these users on entered e-mail
Further. And now we shall understand, because of what it occurs.
ubb_profile.cgi
Function update_profile

# if email is changing, update emailfile.cgi
undef(@amend);
if ($lc_email ne "$lc_old_email") {

my @emailsfile = &OpenFileAsArray("$vars_config{MembersPath}/emailfile.cgi");

$lc_old_email =~ s/([.|@])/\$1/isg;

#####################################################
#####################################################

foreach $checker(@emailsfile) {
chomp($checker);
if ($checker =~ m/^$lc_old_email||/i) {
($j, $thisnum) = split(/||/, $checker);
$NewLine = "$lc_email||$thisnum";
push(@amend, $NewLine);
} else {
push(@amend, $checker);
}
}

#####################################################
#####################################################

open(FILE, ">$vars_config{MembersPath}/emailfile.cgi");
&lock;
foreach $dos(@amend) {
chomp($dos);
print FILE "$dosn";
}
&unlock;
close(FILE);
chmod (0666, "$vars_config{MembersPath}/emailfile.cgi");
}

we here see a file (interesting piece is allocated with comments), function opens, looked through on presence replaced e-mails, at detection varies, then enters the name. Only it is not taken into account, that someone could enter another's mail and replacement will pass not only at the user, the address which have requested change, and all such addresses.
The given vulnerability is found out in all UBB 6.0.x, 6.1.x was not tested in view of absence of the given version.

The decision of a problem:
In a file ubb_profile.cgi to make the following replacement the
Initial file:

foreach $checker(@emailsfile) {
chomp($checker);
if ($checker =~ m/^$lc_old_email||/i) {
($j, $thisnum) = split(/||/, $checker);
$NewLine = "$lc_email||$thisnum";
push(@amend, $NewLine);
} else {
push(@amend, $checker);
}
}

the changed file:

foreach $checker(@emailsfile) {
chomp($checker);
if ($checker =~ m/^$lc_old_email||/i) {
($j, $thisnum) = split(/||/, $checker);
if($thisnum == $user_number){
$NewLine = "$lc_email||$thisnum";
push(@amend, $NewLine);
}else{
push(@amend,$checker);
}
} else {
push(@amend, $checker);
}
}


(C) 2001 Xatmer [email protected]