UBB.Developers Forums UBB.classic V5 Mod Questions NOTICE: Security Vulnerability

Greetings All:

Since I'm in the security biz, I keep track of a bunch of maillists related to vulnerabilities, etc. The following just came through:

From:
To:
Sent: Wednesday, April 04, 2001 9:07 PM
Subject: Ultimate Bulletin Board Version 5.47e


> About:
> "Ultimate Bulletin Board Version 5.47e"
> by "www.infopop.com"
> on Cross-Platform (tested on UNIX)
>
>
> Subject:
> Another possibility to read in private forums
>
>
> Status:
> Vendors took aknoledgement;
> No reply of any solution yet;
>
>
> Details:
> As still known, there've been some security problem
> in UBB up to version 5.74a that makes it possible
> to read in private forums (password protected), just
> giving the 'postings.cgi' the querystring
> 'action=reply&forum=doesnotmatter&number=1&topi
> c=000001.cgi&TopicSubject=doesnotmatter&replyto=
> 0',
> altering 'number' to the number of a private forum
> and 'topic' and 'replyto' just to the number you want to
> read.
> So for example this URL could let you read the first
> message of the first thread in a private forum,
> wich's number is 1:
> http://boardhost.org/boarddir/postings.cgi?
> action=reply&forum=&number=1&topic=000001.cgi&
> TopicSubject=&replyto=0
> I guess this bug should be fixed at least with version
> 5.47e.
> But there was forgotten one little detail: If there are
> several private forums e.g. one for the moderators
> and
> one only for administrators,
> people with a moderators rights could still exploit this
> bug to read in administrators forum, thought they don't
> have permission to read there, just by loggin in and
> get coockied by that.
>
>
> Solution:
> As I guess this should be fixed by editing the line
> ' if (($Status eq "Administrator") || ($Status
> eq "Moderator")) {' in the subroutine
> 'sub verifyID' in the 'postings.cgi' and change it into
> ' if ($Status eq "Administrator") {' at least with the
> board I was testing it, this worked.
> But maybe you should wait for any offical solutions of
> the vendors.

Yours In CyberSpace,
John Vranesevich
Founder, AntiOnline.com

Wouldn't that be better on the UBB 5 forums?

q

whys it even in the hack forums?

Thanks for posting this


my friend need to know this asap.

indeed, why is this in the ubb6 section?

Thank you for letting us know! But this needs to be in the UBB5 forums.

What's the fix for this security hole in versions preceding 5.47e?

The fix suggested in the top of this thread should work fine.

That security vulnerability is tiny compared to the biggie that UBB5.47e fixed. Upgrade to 5.47e if at all possible.

Whether you upgrade to 5.47e or not, you should install my CodeFilter mod. It closes a nasty security hole not fixed by 5.47e:
https://www.ubbdev.com/ubbcgi/ultimatebb.cgi?ubb=get_topic&f=7&t=000434

Unfortunately, i can't upgrade at this time owing to special code i installed for copyright reasons.

Did Infopop publish a fix?

Could someone post the fix to postings.cgi and any other file that requires it?

I'm running 5.39.

[ April 08, 2001: Message edited by: NBAustin ]

5.39? Uff Da.

There's been many security fixes since 5.39.

Again, the security vulnerability described in the top of this thread is a tiny one. It allows moderators to read posts in forums they are not supposed to access. This should be the least of your worries.

If you are running 5.39, you have at least two vulnerabilities that allow a malicious user to gain admin access to your board or worse, and do some serious damage.

If you just can't upgrade, you should make frequent backups of your entire UBB.

Seriously consider upgrading to UBB6. It's much easier to modify, and is fully supported by Infopop. I doubt anyone here or at Infopop is going to be able to help with your 5.39 problems.

Why in the world that was posted to BugTraq is beyond me.

Not only is it NOT within the realm of the items posted in BugTraq, it's not even a "major" security threat. At best, it's a real pain in the ass on sites that have private forums in which moderators do not have explicit access and in which the moderators are not trustworthy...

It's been patched in the 5.47e zips.

NBAustin, you are INSANE. Running 5.39 is suicide. Upgrade. Now.

NBAustin says he installed some new posting fields. Can't you carry them over? Atleast try. bad man..

I've tried numerous times.

It's more than fields. It's a whole Snip & Link thing (truncates article text and links the url source to a field) that affects two files. I've added a text box as well.

This is all to comply with copyright law.

Postings.cgi and ubblibrary_2.pl are very different in the new 5.4x versions. I can't seem to figure it out. I HAD 5.45, but lost it in a PC crash before I could back it up, and my access to the member's area had run out.

[ April 08, 2001: Message edited by: NBAustin ]

It would seem to be your choice, but you easily stand to lose your whole site trying to save some custom templates for posting... you could file-compare those portions over to 5.47e for use...

That's what i tried Allen.

File compare didn't work.