NOTICE: Security Vulnerability - 04/06/2001 3:51 AM
Greetings All:
Since I'm in the security biz, I keep track of a bunch of maillists related to vulnerabilities, etc. The following just came through:
From:
To:
Sent: Wednesday, April 04, 2001 9:07 PM
Subject: Ultimate Bulletin Board Version 5.47e
> About:
> "Ultimate Bulletin Board Version 5.47e"
> by "www.infopop.com"
> on Cross-Platform (tested on UNIX)
>
>
> Subject:
> Another possibility to read in private forums
>
>
> Status:
> Vendors took aknoledgement;
> No reply of any solution yet;
>
>
> Details:
> As still known, there've been some security problem
> in UBB up to version 5.74a that makes it possible
> to read in private forums (password protected), just
> giving the 'postings.cgi' the querystring
> 'action=reply&forum=doesnotmatter&number=1&topi
> c=000001.cgi&TopicSubject=doesnotmatter&replyto=
> 0',
> altering 'number' to the number of a private forum
> and 'topic' and 'replyto' just to the number you want to
> read.
> So for example this URL could let you read the first
> message of the first thread in a private forum,
> wich's number is 1:
> http://boardhost.org/boarddir/postings.cgi?
> action=reply&forum=&number=1&topic=000001.cgi&
> TopicSubject=&replyto=0
> I guess this bug should be fixed at least with version
> 5.47e.
> But there was forgotten one little detail: If there are
> several private forums e.g. one for the moderators
> and
> one only for administrators,
> people with a moderators rights could still exploit this
> bug to read in administrators forum, thought they don't
> have permission to read there, just by loggin in and
> get coockied by that.
>
>
> Solution:
> As I guess this should be fixed by editing the line
> ' if (($Status eq "Administrator") || ($Status
> eq "Moderator")) {' in the subroutine
> 'sub verifyID' in the 'postings.cgi' and change it into
> ' if ($Status eq "Administrator") {' at least with the
> board I was testing it, this worked.
> But maybe you should wait for any offical solutions of
> the vendors.
Yours In CyberSpace,
John Vranesevich
Founder, AntiOnline.com
Since I'm in the security biz, I keep track of a bunch of maillists related to vulnerabilities, etc. The following just came through:
From:
To:
Sent: Wednesday, April 04, 2001 9:07 PM
Subject: Ultimate Bulletin Board Version 5.47e
> About:
> "Ultimate Bulletin Board Version 5.47e"
> by "www.infopop.com"
> on Cross-Platform (tested on UNIX)
>
>
> Subject:
> Another possibility to read in private forums
>
>
> Status:
> Vendors took aknoledgement;
> No reply of any solution yet;
>
>
> Details:
> As still known, there've been some security problem
> in UBB up to version 5.74a that makes it possible
> to read in private forums (password protected), just
> giving the 'postings.cgi' the querystring
> 'action=reply&forum=doesnotmatter&number=1&topi
> c=000001.cgi&TopicSubject=doesnotmatter&replyto=
> 0',
> altering 'number' to the number of a private forum
> and 'topic' and 'replyto' just to the number you want to
> read.
> So for example this URL could let you read the first
> message of the first thread in a private forum,
> wich's number is 1:
> http:/
> action=reply&forum=&number=1&topic=000001.cgi&
> TopicSubject=&replyto=0
> I guess this bug should be fixed at least with version
> 5.47e.
> But there was forgotten one little detail: If there are
> several private forums e.g. one for the moderators
> and
> one only for administrators,
> people with a moderators rights could still exploit this
> bug to read in administrators forum, thought they don't
> have permission to read there, just by loggin in and
> get coockied by that.
>
>
> Solution:
> As I guess this should be fixed by editing the line
> ' if (($Status eq "Administrator") || ($Status
> eq "Moderator")) {' in the subroutine
> 'sub verifyID' in the 'postings.cgi' and change it into
> ' if ($Status eq "Administrator") {' at least with the
> board I was testing it, this worked.
> But maybe you should wait for any offical solutions of
> the vendors.
Yours In CyberSpace,
John Vranesevich
Founder, AntiOnline.com
