Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: YaBB 1.9.2000 Vulnerabilitie
From: pestilence (pestilenceSYNNERGY.NET)
Date: Sat Sep 09 2000 - 22:26:59 CDT

           + YaBB 9.1.2000 Multiple Vulnerabilities +
           # Advisory by pestilence #
           # www.synnergy.net #

Affected program: YABB 9.1.2000 (previous ?)
System : Linux, UNIX, Windows
Problem : Problem located in all scripts that handle
Discovery : pestilencesynnergy.net

YaBB is the internet's second Open Source Bulletin Board system. A
Bulletin Board is software to add interactivity to your site. Someone
can post a question, which other visitors can answer. A bulletin board
keeps your visitors coming back
This product can be downloaded from http://www.yabb.org

1) When YaBB.pl is called with the variable $display and $num (this is

the variable that handles the file) it opens a file without any security

check for reading, allthough the script that is responsible for handling

the file, appends a .txt extension, a user is able to force the script
open any file he wants by adding %00 to the end of the request, thus
forcing the script to ommit the .txt extension.
The problem is located within the Display.pl script:

sub Display {
    $viewnum = $INFO{'num'};
    open(FILE, "$vardir/membergroups.txt");
    membergroups = <FILE>;
    open(FILE, "$datadir/$viewnum.txt") || &fatal_error("$txt{'23'}

Note that the program is subject to more Vulnerabities as most of the
scripts that handle user input don't do any security checks (even the
basic ones).

For instance:

. will open the passwd file.


The vendors have been informed of the bug.

Wait for the next patched version of YaBB to be released.

WEB: http://www.synnergy.net
email: pestilencesynnergy.net
Kostas Petrakis aka Pestilence