OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: YaBB 1.9.2000 Vulnerabilitie
From: pestilence (pestilenceSYNNERGY.NET)
Date: Sat Sep 09 2000 - 22:26:59 CDT


           *************************************************
           + YaBB 9.1.2000 Multiple Vulnerabilities +
           *************************************************
           # Advisory by pestilence #
           # www.synnergy.net #
           |===============================================|

Affected program: YABB 9.1.2000 (previous ?)
System : Linux, UNIX, Windows
Problem : Problem located in all scripts that handle
files.
Discovery : pestilencesynnergy.net

Discussion
----------
YaBB is the internet's second Open Source Bulletin Board system. A
Bulletin Board is software to add interactivity to your site. Someone
can post a question, which other visitors can answer. A bulletin board
keeps your visitors coming back
This product can be downloaded from http://www.yabb.org

Vulnerability
-------------
1) When YaBB.pl is called with the variable $display and $num (this is

the variable that handles the file) it opens a file without any security

check for reading, allthough the script that is responsible for handling

the file, appends a .txt extension, a user is able to force the script
to
open any file he wants by adding %00 to the end of the request, thus
forcing the script to ommit the .txt extension.
The problem is located within the Display.pl script:

sub Display {
    $viewnum = $INFO{'num'};
    open(FILE, "$vardir/membergroups.txt");
    &lock(FILE);
    membergroups = <FILE>;
    &unlock(FILE);
    close(FILE);
    open(FILE, "$datadir/$viewnum.txt") || &fatal_error("$txt{'23'}

Note that the program is subject to more Vulnerabities as most of the
scripts that handle user input don't do any security checks (even the
basic ones).

For instance:
http://www.my_target.com/cgi-bin/YaBB.pl?board=news&action=display&num=../../../../../../../../etc/passwd%00

. will open the passwd file.

Solution
--------

The vendors have been informed of the bug.

Wait for the next patched version of YaBB to be released.

----------------------------------------
WEB: http://www.synnergy.net
email: pestilencesynnergy.net
Kostas Petrakis aka Pestilence
----------------------------------------