Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: Insecure input balidation in YaBB Search.pl
From: rpc (hCKZ.ORG)
Date: Tue Nov 07 2000 - 05:01:46 CST

Hi Everybody,

  Kosak reported this problem to vuln-dev last night. I downloaded the script
and did some testing.

There is an input validation problem with the 'catsearch' field, which gets
interpolated in an open statement:

open(FILE, "$boardsdir/$cattosearch") || &fatal_error("$txt{'23'}

where $cattosearch is a localized $catsearch, assigned:
$catsearch = $FORM{'catsearch'};

An attacker could easily create a malicious html form with a catsearch such as:

The amount of directory traversal will vary from site to site, depending on
their YaBB setup.

--rpc <hckz.org>

On Mon, 6 Nov 2000 23:32:33 +0100, [ K o S a K ] said:

> Hi,
> I heard it could be possible to execute arbitrary cmd accross a script
> called search.pl from the YaBB package.
> I know that lots of web site has been defaced by this exploit, but i haven't
> found it yet.
> It exploits an insecure input in the script.
> Even in the latest version must be vulnerable.
> Has someone more informations about this ?
> Thanks a lot.
> KoSaK
> www.epsylon.org
> French Staff