Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: Frequently Exploited :: yabb1.htm

YaBB %00 vulnerability



Vulnerability

    Yabb

Affected

    YaBB 1.9.2000

Description

    Pestilence found following.   YaBB is the  internet's second  Open
    Source Bulletin  Board system.   A Bulletin  Board is  software to
    add interactivity  to your  site.   Someone can  post a  question,
    which  other  visitors  can  answer.  A  bulletin board keeps your
    visitors coming back.

    When  YaBB.pl  is  called  with  the  variable $display  and  $num
    (this  is  the  variable  that  handles  the file) it opens a file
    without any security check for reading, allthough the script  that
    is responsible for handling the file, appends a .txt extension,  a
    user is  able to  force the  script to  open any  file he wants by
    adding %00 to the end of  the request, thus forcing the script  to
    ommit  the  .txt  extension.   The  problem  is located within the
    Display.pl script:

        sub Display {
            $viewnum = $INFO{'num'};
            open(FILE, "$vardir/membergroups.txt");
            &lock(FILE);
            @membergroups = <FILE>;
            &unlock(FILE);
            close(FILE);
            open(FILE, "$datadir/$viewnum.txt") || &fatal_error("$txt{'23'}

    Note that the program is subject to more Vulnerabities as most  of
    the scripts that  handle user input  don't do any  security checks
    (even the basic ones).

    For instance:

        http://www.my_target.com/cgi-bin/YaBB.pl?board=news&action=display&num=../../../../../../../../etc/passwd%00

    will open the passwd file.

Solution

    The vendors  have been  informed of  the bug.   Wait for  the next
    patched version of YaBB to be released.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH