eXtropia: the open web technology company
Technology | Support | Tutorials | Development | About Us | Users | Contact Us
Development resources
 ::   WebWare 2.1 (Perl)
 ::   WebWare 2.0 (Java)
 ::   Cool hacks
cool hacks
BBS Security Notice  
CGISecurity.com informed us of a hole in the BBS script. Specifically, the vulnerability allows a hacker to read files that the web server has access to on the server using directory traversal (eg ../../..) within a URL.

In addition, based on this vulnerability, we also uncovered another one based on reply_to_message of a similar nature. Both of these are easily patched.

Technique 1: Download A New Version

If you are less technically inclined, you may download the BBS again from our site using the download page (select WebBBS) for download. Then, unarchive the tar file and replace your current bbs_forum.cgi file with the new one.

The download link is here.

Technique 2: Patch bbs_forum.cgi Yourself

If you have made extensive modifications to bbs_forum.cgi and do not wish to start over from scratch, search for the line at the start of bbs_forum.cgi that says

&ReadParse;

And insert afterwards the following:

if ($in{'read'} && $in{'read'} !~ /^\d+-\d+\.msg$/i) {
    print "Invalid Message #";
    die("Invalid Message # provided: " .
            $in{'read'});
}
if ($in{'reply_to_message'} && $in{'reply_to_message'} !~ /^\d+-\d+\.msg$/i) {
    print "Invalid Reply To Message #";
    die("Invalid Reply To Message # provided: " .
            $in{'reply_to_message'});
}

This code assures the script that the message file form variables can only consist of the strict filename format of digits followed by a hyphen followed by some digits followed by the literal string ".msg".

We recommend updating your script as soon as possible. Special thanks to cgisecurity.com for pointing out the issue.