Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: etc :: wwwb.txt

WWWBoard - wwwboard.pl is vulnerable to a dictionary attack on the admin password and a subtle DoS attack.





[ http://www.rootshell.com/ ]

Date:         Thu, 3 Sep 1998 13:37:06 -0700
From:         bugtraq <bugtraq@ANKH.SAMIAM.ORG>
Subject:      wwwboard.pl vulnerability

Hello,

The commonly used wwwboard.pl program, available for free from
www.worldwidemart.com, is a suite that appears to not have security as a
serious consideration in its design.  Not only does the default location of
passwords in the wwwadmin.pl program allow anyone on the internet to perform
dictionary attacks on the board admin's password, there is another, more
subtle DOS attack.

There is no input checking done on the list of articles which a given
article is a followup to.  This allows us to give it invalid input such that
we can clobber files that the web server has write permissions to.

For example, this HTML snippit, when read by Netscape (and the button is
pushed), will clobber articles 1 to 5 on the wwwboard at some.poor.host.

<form method=POST action="http://some.poor.host/cgi-bin/wwwboard.pl">
<input type=hidden name="followup" value="1,2,3,4,5,|.|">
<input type=submit value="Clobber web board">
</form>

The included patch patches wwwboard.pl against this attack.

I notified the arthur, matt@worldwidemart.com of this problem over a week
ago, but have not gotten a response from him.

I should mention that wwwboard.pl also does not log the IP that posts a
given message to the board.

> #       looking at the apache 1.2.5 source code i found
> #       that there was no limit on how many mime headers could
> #       be included in a client request. The only limits
> #       are : 8192 byte for each header, 300 sec. on reading headers.

On another topic, this posted attack against Apache using an arbitrary
number of different headers does not work against servers with Ben's
recent Sioux patch.

- Sam

Patch for wwwboard.pl (which requires perl5 to run) follows:

*** wwwboard.patch.pl   Thu Sep  3 13:14:46 1998
--- wwwboard.pl Thu Sep  3 13:17:47 1998
***************
*** 1,4 ****
! #!/usr/local/bin/perl
  ##############################################################################
  # WWWBoard                      Version 2.0 ALPHA 2                          #
  # Copyright 1996 Matt Wright    mattw@worldwidemart.com                      #
--- 1,4 ----
! #!/usr/local/bin/perl -T
  ##############################################################################
  # WWWBoard                      Version 2.0 ALPHA 2                          #
  # Copyright 1996 Matt Wright    mattw@worldwidemart.com                      #
***************
*** 82,88 ****

  sub get_number {
     open(NUMBER,"$basedir/$datafile");
!    $num = <NUMBER>;
     close(NUMBER);
     if ($num == 99999)  {
        $num = "1";
--- 82,90 ----

  sub get_number {
     open(NUMBER,"$basedir/$datafile");
!    my($n) = <NUMBER>;
!    $n =~ /(\d+)/;
!    $num = $1;
     close(NUMBER);
     if ($num == 99999)  {
        $num = "1";
***************
*** 132,138 ****

     if ($FORM{'followup'}) {
        $followup = "1";
!       @followup_num = split(/,/,$FORM{'followup'});
        $num_followups = @followups = @followup_num;
        $last_message = pop(@followups);
        $origdate = "$FORM{'origdate'}";
--- 134,146 ----

     if ($FORM{'followup'}) {
        $followup = "1";
!       my($item);
!       my(@list) = split(/,/,$FORM{'followup'});
!       @followup_num = ();
!       foreach $item (@list) {
!         $item =~ /(\d+)/;
!         push(@followup_num,$1);
!         }
        $num_followups = @followups = @followup_num;
        $last_message = pop(@followups);
        $origdate = "$FORM{'origdate'}";



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH