yabb.txt

yabb.txt: Posted Sep 13, 2000; Authored by Kostas Petrakis | Site synnergy.net; Yabb 9.1.2000 and prior for Windows and Unix is a web based BBS system which has a vulnerability in YaBB.pl which allows remote attackers to view any file on the system.; tags | exploit, remote, web; systems | windows, unix; SHA-256 | b2141b021a48b28bf0bb81210dfbaa6fe7aae1817ab3d9c84bb3511551d57e91; Download | Favorite | View

yabb.txt


           *************************************************
           +  YaBB 9.1.2000 Multiple Vulnerabilities  +
           *************************************************
           #            Advisory by pestilence             #
           #               www.synnergy.net                #
           |===============================================|



Affected program:       YABB 9.1.2000 (previous ?)
System          :       Linux, UNIX, Windows
Problem         :       Problem located in all scripts that handle
files.
Discovery       :       pestilence@synnergy.net

Discussion
----------
YaBB is the internet's second Open Source Bulletin Board system. A
Bulletin Board is software to add interactivity to your site. Someone
can post a question, which other visitors can answer. A bulletin board
keeps your visitors coming back
This product can be downloaded from https://www.yabb.org


Vulnerability
-------------
1) When YaBB.pl is called with the variable $display  and  $num (this is

the variable that handles the file) it opens a file without any security

check for reading, allthough the script that is responsible for handling

the file, appends a .txt extension, a user is able to force the script
to
open any file he wants by adding %00 to the end of the request, thus
forcing the script to ommit the .txt extension.
The problem is located within the Display.pl script:

sub Display {
    $viewnum = $INFO{'num'};
    open(FILE, "$vardir/membergroups.txt");
    &lock(FILE);
    @membergroups = <FILE>;
    &unlock(FILE);
    close(FILE);
    open(FILE, "$datadir/$viewnum.txt") || &fatal_error("$txt{'23'}

Note that the program is subject to more Vulnerabities as most of the
scripts that handle user input don't do any security checks (even the
basic ones).


For instance:
https://www.my_target.com/cgi-bin/YaBB.pl?board=news&action=display&num=../../../../../../../../etc/passwd%00

. will open the passwd file.

Solution
--------

The vendors have been informed of the bug.

Wait for the next patched version of YaBB to be released.

----------------------------------------
WEB: https://www.synnergy.net
email: pestilence@synnergy.net
Kostas Petrakis aka Pestilence
----------------------------------------

Top Authors In Last 30 Days

Red Hat 223 files
Ubuntu 61 files
Debian 20 files
LiquidWorm 20 files
Apple 9 files
indoushka 5 files
Gentoo 5 files
Google Security Research 4 files
Alter Prime 3 files
Chokri Hammedi 3 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,160)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,604)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,842)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,249)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,975)
UNIX (9,474)
UnixWare (188)
Windows (6,784)
Other

yabb.txt

yabb.txt

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

yabb.txt

Share This

yabb.txt

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems