eXtropia bbs_forum.cgi Remote Arbitrary Command Execution Vulnerability

Excerpted from CGI Security Advisory #3.1:

Patch: http://www.extropia.com/hacks/bbs_security.html

If you have made extensive modifications to bbs_forum.cgi and do not wish to start over from scratch, search for the line at the start of bbs_forum.cgi that says


And insert afterwards the following:

if ($in{'read'} && $in{'read'} !~ /^\d+-\d+\.msg$/i)
print "Invalid Message #";
die("Invalid Message # provided: " .
if ($in{'reply_to_message'} &&
$in{'reply_to_message'} !~ /^\d+-\d+\.msg$/i) {
print "Invalid Reply To Message #";
die("Invalid Reply To Message # provided: " .

This code assures the script that the message file
form variables can only consist of the strict filename format of digits
followed by a hyphen followed by some digits followed by the literal
string ".msg".

We recommend updating your script as soon as possible.
Special thanks to cgisecurity.com for pointing our the issue.


Privacy Statement
Copyright 2010, SecurityFocus