Common security problems with the Ultimate Bulletin Board Term - termREMOVETHIS@boxnet.dhs.org Boxnet Research Labs http://boxnet.dhs.org The methods and problems described in this paper were found and applied to the Ultimate Bulletin Board, but could be applied to other bulletin boards with similar problems. Issue 1: The Ultimate Bulletin Board creates it's data files and member files, world writable, and also insures that they are world writable by changing the permissions to world writable each time the files are edited. On multi-user servers, this is of course a bad idea, and allows multiple entry points for an attack. Either to directly edit the settings files, or to view the member files, retrieve the password of a user with administrational access and edit the settings through the actual web interface used to properly administrate the UBB. Even if ftp access is chroot'd, if the attack had webspace that allowed cgi programs to be run, the attack could still craft a cgi script in their own directory to obtain a password from the members directory. Fix: If you do not have root on the machine that your UBB is hosted on, you could ask the administrators of the hosting machine to do some of the things requiring root access. Make sure that the files that are set world writeable are owned by the group that the webserver runs under. Some of these files are: (In the UBB cgi directory) Styles.file UltBB.setup forums.cgi mods.file Every cgi file in the Members directory (in the ubb cgi directory) Next, you need to edit the executable cgi files, in the ubb cgi directory so that they do not set data files 777 or 666, but instead set them 770 or 660. This can be done by simply using grep to find the files that set the data files 777 and 666, and then editing them using a text editor that has a find and replace function. Issue 2: When at the Ultimate Bulletin Boards control panel (usually cp.html in the non cgi directory) and a wrong password is entered, the wrong password attempt is not logged. A simple brute force utility for cracking other sites (such as hotmail) could easily be modified to brute force the password to an administrative account. Fix: These are just my suggestions, I'm sure alot of other solutions could be implmented. Log all login attempts (successful or not) to the control panel, and prevent more than 3 bad logins at a time, ie. 3 bad login attempts would prevent another login attempt from the same ip for 5 minutes. (Preventing a specific ip from logging in for another 5 minutes prevents someone purposely sending bad login attempts to the control panel and preventing actual administrators from logging in.) Note: these would require modification to the UBB's code. A simple fix, without modifying the code would be to have a nice long password, using letters and numbers.