WWWBoard Arbitrary Message Overwrite Vulnerability

Bugtraq ID:	1795
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Sep 03 1998 12:00AM
Updated:	Sep 03 1998 12:00AM
Credit:	This vulnerability was discovered and first posted to Bugtraq by Sam < [email protected]> on September 3, 1998.
Vulnerable:	Matt Wright WWWBoard 2.0 Alpha 2
Not Vulnerable:

WWWBoard Arbitrary Message Overwrite Vulnerability

wwwboard.pl is a perl script by Matt Wright, written to handle posts to a web discussion board. A problem exists in the script that allows a user to pass an input value using a <form method=POST> without checking the contents of the value. The problem occurs in the <input type=hidden name="followup" value=> field, in which the name "followup" followed by a value corresponding to a previously existing message permits one to overwrite a previously existing post to the board. Consequently, valid posts to the board can be overwritten and erased by a malcious user.

WWWBoard Arbitrary Message Overwrite Vulnerability

See discussion.

WWWBoard Arbitrary Message Overwrite Vulnerability

Solution:
The wwwboard homepage recommends upgrading all existing wwwboard.pl implementations to WWWBoard Version 2.0 ALPHA 2.1.


Matt Wright WWWBoard 2.0 Alpha 2

• Matt Wright WWWBoard 2.0 ALPHA 2.1
  http://www.worldwidemart.com/scripts/wwwboard.shtml

WWWBoard Arbitrary Message Overwrite Vulnerability

References: