[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : YaBB 9.1.2000 Multiple Vulnerabilities

Title: YaBB 9.1.2000 Multiple Vulnerabilities
Released by: Synnergy
Date: 11th September 2000
Printable version: Click here 
           *************************************************

           +  YaBB 9.1.2000 Multiple Vulnerabilities  +

           *************************************************

           #            Advisory by pestilence             #

           #               www.synnergy.net                #

           |===============================================|







Affected program:       YABB 9.1.2000 (previous ?)

System          :       Linux, UNIX, Windows

Problem         :       Problem located in all scripts that handle

files.

Discovery       :       pestilence@synnergy.net



Discussion

----------

YaBB is the internet's second Open Source Bulletin Board system. A

Bulletin Board is software to add interactivity to your site. Someone

can post a question, which other visitors can answer. A bulletin board

keeps your visitors coming back

This product can be downloaded from http://www.yabb.org





Vulnerability

-------------

1) When YaBB.pl is called with the variable $display  and  $num (this is



the variable that handles the file) it opens a file without any security



check for reading, allthough the script that is responsible for handling



the file, appends a .txt extension, a user is able to force the script

to

open any file he wants by adding %00 to the end of the request, thus

forcing the script to ommit the .txt extension.

The problem is located within the Display.pl script:



sub Display {

    $viewnum = $INFO{'num'};

    open(FILE, "$vardir/membergroups.txt");

    &lock(FILE);

    @membergroups = ;

    &unlock(FILE);

    close(FILE);

    open(FILE, "$datadir/$viewnum.txt") || &fatal_error("$txt{'23'}



Note that the program is subject to more Vulnerabities as most of the

scripts that handle user input don't do any security checks (even the

basic ones).





For instance:

http://www.my_target.com/cgi-bin/YaBB.pl?board=news&action=display&num=../../../../../../../../etc/passwd%00



. will open the passwd file.



Solution

--------



The vendors have been informed of the bug.



Wait for the next patched version of YaBB to be released.



----------------------------------------

WEB: http://www.synnergy.net

email: pestilence@synnergy.net

Kostas Petrakis aka Pestilence

----------------------------------------






(C) 1999-2000 All rights reserved.