Vulnerability

    Ultimate Bulletin Board

Affected

    Ultimate Bulletin Board v5.3x

Description

    Sean Malloy found  following.  There  seems to be  a bug with  the
    UBB under  NT   (don't believe  Unix users  of the  UBB are  faced
    with the  same problem).   Of course  it could  be the  version of
    ActivePerl, combined  with the  bug in  the board,  but anyways...
    By  default,  Member  files  are  stored  in  the /cgi-bin/Members
    directory.  The members files  are stored as numbers, with  a .cgi
    extension, eg: 00000001.cgi

    Under unix, if you put in

        http://www.url.blah/cgi-bin/Members/00000001.cgi

    the  server  will  return  a  500  error,  however,  under NT with
    ActivePerl (v5.07?), it will return something like this:

        CGI Error
        The specified CGI application misbehaved by not returning a complete set of
        HTTP headers. The headers it did return are:
        Number found where operator expected at
        D:\CONTENT\wwwroot\data\ubb\Members\00000001.cgi line 2, near "Malby
        1"
	        (Missing semicolon on previous line?)
        syntax error at D:\CONTENT\wwwroot\data\ubb\Members\00000001.cgi line 2,
        near "Malby
        1"
        Bareword found where operator expected at
        D:\CONTENT\wwwroot\data\ubb\Members\00000001.cgi line 2, near "mypass"
	        (Missing operator before malby2?)
        Bareword found where operator expected at
        D:\CONTENT\wwwroot\data\ubb\Members\00000001.cgi line 4, near "//www"
	        (Missing operator before www?)
        Semicolon seems to be missing at
        D:\CONTENT\wwwroot\data\ubb\Members\00000001.cgi line 6.
        Number found where operator expected at D:\CONTE

    yay for UBB handing out our password (line 2) to anyone who  wants
    to  read  it.   This  does  not  work  on  every data file, it may
    depends on wether  the username has  spaces in it,  etc.  However,
    it creates a  very large hole.   You just need  to get one  of the
    administrators  data  files,  and  as  you could imagine, all hell
    would break loose.

    The people at Infopop/Madronapark offer a "Example Sites" list,  a
    listing of users with UBB (Theres a lot of them), so now you  have
    a big list of would be victims.  Someone can go through, and  test
    each board.

Solution

    How  to  fix?  Change  the  members  path  to  something more like
    xvc83nx9wy4nd0w74m3.  That will  solve it.  Until  someone guesses
    the path.  Security through  obscurity.  It won't hurt,  but don't
    put faith in the "that will solve it" schpeil.

    From the ultimatebb homepage installation instructions:

    D) Create  a Members  directory. All  of the  files in the Members
       folder of your ZIP file  should be stored in another  directory
       on your web  server. You should  create a new  directory called
       "Members" on your web server to store these Members CGI  files.
       It  is  imperative  that   you  name  this  directory   Members
       (exactly); otherwise, the UBB  will not function properly.  You
       should place this  directory either as  a subdirectory of  your
       CGI  directory  or  above  the  web root, for security reasons.
       Once you  have created  this new  directory, upload  all of the
       files  in  the  Members  folder  into  it.  These files must be
       uploaded in ASCII mode, not BINARY.

    So  to  fix  this  bug,  all  one  has  to do is place the Members
    directory outside the web root.