yabb.txt

2000-09-13T00:00:00
ID PACKETSTORM:23079
Type packetstorm
Reporter Kostas Petrakis
Modified 2000-09-13T00:00:00

Description

                                        
                                            `  
*************************************************  
+ YaBB 9.1.2000 Multiple Vulnerabilities +  
*************************************************  
# Advisory by pestilence #  
# www.synnergy.net #  
|===============================================|  
  
  
  
Affected program: YABB 9.1.2000 (previous ?)  
System : Linux, UNIX, Windows  
Problem : Problem located in all scripts that handle  
files.  
Discovery : pestilence@synnergy.net  
  
Discussion  
----------  
YaBB is the internet's second Open Source Bulletin Board system. A  
Bulletin Board is software to add interactivity to your site. Someone  
can post a question, which other visitors can answer. A bulletin board  
keeps your visitors coming back  
This product can be downloaded from http://www.yabb.org  
  
  
Vulnerability  
-------------  
1) When YaBB.pl is called with the variable $display and $num (this is  
  
the variable that handles the file) it opens a file without any security  
  
check for reading, allthough the script that is responsible for handling  
  
the file, appends a .txt extension, a user is able to force the script  
to  
open any file he wants by adding %00 to the end of the request, thus  
forcing the script to ommit the .txt extension.  
The problem is located within the Display.pl script:  
  
sub Display {  
$viewnum = $INFO{'num'};  
open(FILE, "$vardir/membergroups.txt");  
&lock(FILE);  
@membergroups = <FILE>;  
&unlock(FILE);  
close(FILE);  
open(FILE, "$datadir/$viewnum.txt") || &fatal_error("$txt{'23'}  
  
Note that the program is subject to more Vulnerabities as most of the  
scripts that handle user input don't do any security checks (even the  
basic ones).  
  
  
For instance:  
http://www.my_target.com/cgi-bin/YaBB.pl?board=news&action=display&num=../../../../../../../../etc/passwd%00  
  
. will open the passwd file.  
  
Solution  
--------  
  
The vendors have been informed of the bug.  
  
Wait for the next patched version of YaBB to be released.  
  
----------------------------------------  
WEB: http://www.synnergy.net  
email: pestilence@synnergy.net  
Kostas Petrakis aka Pestilence  
----------------------------------------  
`