CGISecurity.com informed us
of a hole in the BBS script. Specifically, the vulnerability allows
a hacker to read files that the web server has access to on the server
using directory traversal (eg ../../..) within a URL.
In addition, based on this vulnerability, we also uncovered another one
based on reply_to_message of a similar nature. Both of these are easily
patched.
Technique 1: Download A New Version
If you are less technically inclined, you may download the BBS again
from our site using the download page (select WebBBS) for download.
Then, unarchive the tar file and replace your current bbs_forum.cgi
file with the new one.
The download link is here.
Technique 2: Patch bbs_forum.cgi Yourself
If you have made extensive modifications to bbs_forum.cgi and do
not wish to start over from scratch, search for the line at the
start of bbs_forum.cgi that says
&ReadParse;
And insert afterwards the following:
if ($in{'read'} && $in{'read'} !~ /^\d+-\d+\.msg$/i) {
print "Invalid Message #";
die("Invalid Message # provided: " .
$in{'read'});
}
if ($in{'reply_to_message'} && $in{'reply_to_message'} !~ /^\d+-\d+\.msg$/i) {
print "Invalid Reply To Message #";
die("Invalid Reply To Message # provided: " .
$in{'reply_to_message'});
}
This code assures the script that the message file
form variables can only consist of the strict
filename format of digits followed by a hyphen
followed by some digits followed by the literal
string ".msg".
We recommend updating your script as soon
as possible. Special thanks to cgisecurity.com
for pointing out the issue.
