Title: Ultimate Bulletin Board Arbitrary Command Execution Vulnerability
Severity: HIGH
Description:
Infopop's Ultimate Bulletin Board software (often referred to as UBB) is a popular web board package written in perl. Because of errors in regular expressions that check form input values, it is possible to execute arbitrary commands on a server running UBB. In ubb_library.pl, the variable $ThreadFile is added to the end of a string passed to the open() call (as a filepath) for writing data to the UBB web server's filesystem. Regular expressions are used to make sure the variable data is in proper format:
if ($ThreadFile =~ /\d\d\d\d\d\d\.ubb/)
and in the commercial version:
if ($ThreadFile =~ /\d\d\.[m|n|ubb|cgi]/) {
Unfortunately, the regular expressions do not require that ".ubb" be the end of the strings, which means that extra data can be included after ".ubb" and the value will still match the expressions (if $ThreadFile is crafted properly) and be passed to open(). The value for $Threadfile is obtained directly from a "hidden" html form variable called 'topic', making this a remotely exploitable vulnerability.
Affected Products:
- Infopop Ultimate Bulletin Board 5.43.0
References:
- Infopop: Ultimate Bulletin Board Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
