Ultimate Bulletin Board Arbitrary Command Execution Vulnerability

Infopop's Ultimate Bulletin Board software (often referred to as UBB) is a popular web board package written in perl. Because of errors in regular expressions that check form input values, it is possible to execute arbitrary commands on a server running UBB. In ubb_library.pl, the variable $ThreadFile is added to the end of a string passed to the open() call (as a filepath) for writing data to the UBB web server's filesystem. Regular expressions are used to make sure the variable data is in proper format:

if ($ThreadFile =~ /\d\d\d\d\d\d\.ubb/)

and in the commercial version:

if ($ThreadFile =~ /\d\d\.[m|n|ubb|cgi]/) {

Unfortunately, the regular expressions do not require that ".ubb" be the end of the strings, which means that extra data can be included after ".ubb" and the value will still match the expressions (if $ThreadFile is crafted properly) and be passed to open(). The value for $Threadfile is obtained directly from a "hidden" html form variable called 'topic', making this a remotely exploitable vulnerability.


 

Privacy Statement
Copyright 2010, SecurityFocus