Home page logo

bugtraq logo Bugtraq mailing list archives

YaBB 1.9.2000 Vulnerabilitie
From: pestilence <pestilence () SYNNERGY NET>
Date: Sun, 10 Sep 2000 06:26:59 +0300

           +  YaBB 9.1.2000 Multiple Vulnerabilities  +
           #            Advisory by pestilence             #
           #               www.synnergy.net                #

Affected program:       YABB 9.1.2000 (previous ?)
System          :       Linux, UNIX, Windows
Problem         :       Problem located in all scripts that handle
Discovery       :       pestilence () synnergy net

YaBB is the internet's second Open Source Bulletin Board system. A
Bulletin Board is software to add interactivity to your site. Someone
can post a question, which other visitors can answer. A bulletin board
keeps your visitors coming back
This product can be downloaded from http://www.yabb.org

1) When YaBB.pl is called with the variable $display  and  $num (this is

the variable that handles the file) it opens a file without any security

check for reading, allthough the script that is responsible for handling

the file, appends a .txt extension, a user is able to force the script
open any file he wants by adding %00 to the end of the request, thus
forcing the script to ommit the .txt extension.
The problem is located within the Display.pl script:

sub Display {
    $viewnum = $INFO{'num'};
    open(FILE, "$vardir/membergroups.txt");
    @membergroups = <FILE>;
    open(FILE, "$datadir/$viewnum.txt") || &fatal_error("$txt{'23'}

Note that the program is subject to more Vulnerabities as most of the
scripts that handle user input don't do any security checks (even the
basic ones).

For instance:

. will open the passwd file.


The vendors have been informed of the bug.

Wait for the next patched version of YaBB to be released.

WEB: http://www.synnergy.net
email: pestilence () synnergy net
Kostas Petrakis aka Pestilence

  By Date           By Thread  

Current thread:
  • YaBB 1.9.2000 Vulnerabilitie pestilence (Sep 12)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]