UBB.Developers Forums UBB.classic V6 Mod Questions HOW TO STOP people from posting CGI/Perl commands that manipulate posts

ok i had someone show me how they could TOTALY manipulate a post in any way they wanted at all by posting this into a post

to show you what it does ill post it after thsi post

function tap(html) {
# Bringing in html files
FILE (http://www.mysticallegend.com/tapper.cgi)
#pulling ubb info
read FILE;
if ($html eq "off") {$html = "on";};
#add post
#!require (http://www.mysticallegend.com/tapper.cgi)
};

Here it is!!
&closetables
&img?http://www.mysticallegend.com/images/avatars/Administrator-Chris.gif
&addtables

hmmmmm well it worked at my ubb he did say something about he left out the part that is the pass to open the file that overrides the post cgi at my ubb maybe it needs that but i realy didnt like it that he could do that

it5 scares me because he said that if not done correctly it could totaly dammage a UBB and he said as far as he knows there is no way to stop it because it cant be stripped off like html because in order to do that it would also stripp off the code that the UBB needs to run

but there has to be a way

if it werent for him being a friend of mine and not doing anything that would hurt my boaard

but if some else who knew how to do this came there or to anyone fo your UBB's they could take you down in a second

so i suggest that as amny peoploe as we can try to get rid of the possibility of this happening

this is basicly the a way for anyone who knows how to hack and destroy any ubb no matter how its setup now and it needs to be stopped

thank you
and please if anyone ahs any ideas dont bother to share

~Scott

hey that sounds bad...a hack that could manipulate a post...maybe u should contact Infopop...do not post in their forum which might cause a panic email them with an example or a link to ur ubb or something

Wierd......We might be able to help but we need more info and exatly what he is posting:-)

http://www.mysticallegend.com/tapper.cgi

is that the url to the cgi/perl program that messes the posts cuz the link doesnt work...anyway get the link to the "TAPPER" program....

Murassemblade,

First of all, was this hack done on a clean UBB? IIRC, you can't execute Perl code inside a post unless you have a hack that permits this.

Second of all, if you have hacked your UBB, is the CodeButtons hack installed? If so, I'll recommend you remove it because leaving it in is a security hazard (check Bugtraq for a post by John Perceival regarding [IMG]).

Finally, what version of UBB are you using?

qasic

What do you mean HAZADIS like what could some one do???(just wondering cause i like the hack)

okkkkkkay

if your talking about the then it wont work becaus ubb does not like onerror

I'm talking about this:

http://www.securityfocus.com/archive/1/191114

qasic

YES that tapper.cgi is what it is and he told me that it has a password protection that he ahs to also enter into the post to activet it thats why when you jsut po to it it doesnt work

and he has moved it from that location as of now

and Qasic i do have the code buttns hack installed,
I instaleed it again a few days after you fixed my WOL, but it makes no matter

he can do this on anything CGI he can do it to UBB,IB,Ygold any CGI Message board this can be doen to its not specific to UBB

but

UBB is unique in the fact that it has more flexability to resolve such a thing than say an IB wich is the lamest program out there

anyway it makes no matter he wont tell me the password coding to activate thing but maybe i can get him to show an example ill post it later if i can

Murassemblade:

I'll recommend you e-mailing Infopop about this and see what they say. I really doubt if your buddy can do it on Infopop's server (it isn't hacked whatsoever).

I'll bet it's more of a problem with a hack (with the most likely culprit being Codebuttons).

qasic

With all due respect, the 'code' you posted is a bunch of bull.

It sounds like you're being conned, sir.

Go to a clean UBB and ban the idiot.

i would tend to go with CC on this one...

lol me to .... I asked him to do what he did to him on my board all he did was post some HTML
thats it :-P and he could of done
witch would of admined him if a admin viewd it. making it seem like he used a ""tapper"" program.......

[ July 10, 2001 05:45 PM: Message edited by: Link2001 ]

ubb6.04f+ check Get vs POST dont they...so even if you had html enabled, and an admin viewed that, its the wrong method so it wouldnt have worked...

Well not on there board........(i tryed and it admined me) so ..........

first the code i posted was incomplete he didnt give it all to me because he wrote what it does

and Link your so dumb he didnt understand i wanted him to do wht he had one before to show you what i was talking about HE DID NOT USE JUST HTML

and secondly im not going to ban him he is my friend he only did this to show me his program he wrote

also he has shown me that it also works on a IB and some other CGI based BB's so ITS NOT THE CODEBUTTONS HACK

im sorry if i havent explained this correctly but i will be back when i have what is neccisary to prove to what is happening

Well please bring conclusive proof. Or better yet, post it on Bugtraq.

qasic

How aM I DUMB?????Well the tapper program you posted (or part of it) is not even proper Perl :-P

Actually, that ifraqme code is quite valid.

Turn off HTML on your board to prevent such nasties.

6.1.0 will have additional filtering to catch stuff like that...

charles if they put that on a "outside" page then a admin viewd it it would admin them so tuning HTML off would not fix the problem totaly :-( ive been testing this all day today.......And they can close topicts the same way :-(