Bugtraq archives for 4th quarter (Oct-Dec) 1998: Re: Patches for wwwboard.pl (Was: Re: wwwboard.pl vulnerability)
Re: Patches for wwwboard.pl (Was: Re: wwwboard.pl vulnerability)
Boynton, David, SSgt, AFPOA/DPSM (
David.Boynton
PENTAGON.AF.MIL)
Thu, 8 Oct 1998 13:13:18 -0400
Since the referer information comes from the remote client, that doesn't
prevent malicious destruction. Anyone with netcat or telnet could forge the
referer field. It requires a little more expertise, but not much.
> -----Original Message-----
> From: Ken Williams [SMTP:jkwilli2UNITY.NCSU.EDU]
> Sent: Wednesday, October 07, 1998 12:39 PM
> To: BUGTRAQNETSPACE.ORG
> Subject: Patches for wwwboard.pl (Was: Re: wwwboard.pl vulnerability)
>
> On Thu, 3 Sep 1998, bugtraq wrote:
>
> >| Date: Thu, 3 Sep 1998 13:37:06 -0700
> >| From: bugtraq <bugtraqANKH.SAMIAM.ORG>
> >| To: BUGTRAQnetspace.org
> >| Subject: wwwboard.pl vulnerability
> >|
> >| Hello,
> >|
> >| The commonly used wwwboard.pl program, available for free from
> >| www.worldwidemart.com, is a suite that appears to not have security as
> a
> >| serious consideration in its design. Not only does the default
> location
> >| of passwords in the wwwadmin.pl program allow anyone on the internet to
> >| perform dictionary attacks on the board admin's password, there is
> >| another, more subtle DOS attack.
>
> Hello,
>
> Simple solution that has worked fine for me is to not use the wwwadmin.pl
> script at all. Don't install it and use vi to edit instead.
>
> >| There is no input checking done on the list of articles which a given
> >| article is a followup to. This allows us to give it invalid input such
> >| that we can clobber files that the web server has write permissions to.
> >|
> >| For example, this HTML snippit, when read by Netscape (and the button
> is
> >| pushed), will clobber articles 1 to 5 on the wwwboard at
> some.poor.host.
> >|
> >| <form method=POST action="http://some.poor.host/cgi-bin/wwwboard.pl">
> >| <input type=hidden name="followup" value="1,2,3,4,5,|.|">
> >| <input type=submit value="Clobber web board">
> >| </form>
> >|
> >| The included patch patches wwwboard.pl against this attack.
>
> A better and much simpler solution is to simply rip the &check_url
> subroutine from Matt Wright's FormMail.pl script and use that instead.
> Not only does it fix this security hole, but it also solves any other
> problems or worries associated with remote execution of the wwwboard.pl
> script.
>
> ----------begin patch----------
> Patch (ripped directly from Matt Wright's ForMail.pl)
> -----------------------------------------------------
>
> In the "Define Variables" section add:
> -----
> # security fix for post deletion
> # check http://worldwidemart.com/scripts/ for more details
> referers = ('www.ncsu.edu','152.1.2.244');
> -----
>
> In the section that calls the subroutines right after "Configure Options"
> add the following:
> -----
> # Check Referring URL - remote post security fix
> &check_url;
> -----
>
> At the beginning of the subroutines, add the following:
> -----
> # security fix for remote post deletion
> sub check_url {
>
> # Localize the check_referer flag which determines if user is valid.
> #
> local($check_referer) = 0;
>
> # If a referring URL was specified, for each valid referer, make sure
> #
> # that a valid referring URL was passed to FormMail.
> #
>
> if ($ENV{'HTTP_REFERER'}) {
> foreach $referer (referers) {
> if ($ENV{'HTTP_REFERER'} =~ m|https?://([^/]*)$referer|i) {
> $check_referer = 1;
> last;
> }
> }
> }
> else {
> $check_referer = 1;
> }
>
> # If the HTTP_REFERER was invalid, send back an error.
> #
> if ($check_referer != 1) { &error('bad_referer') }
> }
> -----
>
> In the "error" subroutine, add the following, or roll your own:
> -----
> # error message to print out to ppl trying to delete posts via patched
> remote post exploit
> elsif ($error eq 'bad_referer') {
> print "<html><head><title>Nice try, script kiddy</title></head>\n";
> print "<body>Nice try, script kiddy. No posting from remote
> URLs.</body></html>\n";
> exit;
> }
> -----
> ----------end patch----------
>
> >| I notified the arthur, mattworldwidemart.com of this problem over a
> week
> >| ago, but have not gotten a response from him.
> >|
> >| I should mention that wwwboard.pl also does not log the IP that posts a
> >| given message to the board.
>
> Why not just write the IP to the HTML documents created?
>
> Quick Patch
> -----------
>
> Add this in the "Define Variables" section:
> $ipaddy = $ENV{'REMOTE_ADDR'};
>
> Then, just tack it $ipaddy on after all instances of $name in the new_file
> subroutine.
>
> [snipped Apache stuff]
>
> >| - Sam
>
> [snipped original patch]
>
>
> Added Bonus Patch
> -----------------
>
> Hate the Blink tag? Try this:
>
> -----patch to LART blink tag users-----
> In the "Configure Options" section, add this:
> -----
> $allow_blink_tag = 0; # 1 = YES; 0 = NO
> -----
>
> Inside the "Parse Form Subroutine", add this:
> -----
> # Nate Johnson <nsjncsu.edu> codes perl regex's in his sleep
> if ($allow_blink_tag == 0) {
> $value =~ s(<|<?)\s?/?blink(>|>?)<font size=7 color=pink>
> I Can't even hack a blink tag on this wwwboard!<\/font>gi;
> }
> -----
> ---------------------------------------
>
> In case I wasn't clear enough, or if you just want to see what a
> mess my own wwwboard.pl script is, go to
> http://www.genocide2600.com/~tattooman/wwwboard/wwwboard.pl
> to check out the source code for my implementation of wwwboard.pl
> at http://www.genocide2600.com/~tattooman/wwwboard/wwwboard.html
>
>
> Regards,
>
> Ken Williams
>
> Packet Storm Security http://www.Genocide2600.com/~tattooman/index.shtml
> E.H.A.P. Corporation http://www.ehap.org/ ehapehap.org infoehap.org
> NCSU Comp Sci Dept http://www.csc.ncsu.edu/ jkwilli2adm.csc.ncsu.edu
> PGP DSS/DH/RSA Keys http://www4.ncsu.edu/~jkwilli2/pgpkey/
