OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Insecure input balidation in YaBB Search.pl
From: rpc (hCKZ.ORG)
Date: Tue Nov 07 2000 - 05:01:46 CST


Hi Everybody,

  Kosak reported this problem to vuln-dev last night. I downloaded the script
and did some testing.

There is an input validation problem with the 'catsearch' field, which gets
interpolated in an open statement:

open(FILE, "$boardsdir/$cattosearch") || &fatal_error("$txt{'23'}
$currentboard.txt");

where $cattosearch is a localized $catsearch, assigned:
$catsearch = $FORM{'catsearch'};

An attacker could easily create a malicious html form with a catsearch such as:
./../../../../../usr/bin/touch%20/tmp/foo|

The amount of directory traversal will vary from site to site, depending on
their YaBB setup.

--rpc <hckz.org>

On Mon, 6 Nov 2000 23:32:33 +0100, [ K o S a K ] said:

> Hi,
>
> I heard it could be possible to execute arbitrary cmd accross a script
> called search.pl from the YaBB package.
> I know that lots of web site has been defaced by this exploit, but i haven't
> found it yet.
> It exploits an insecure input in the script.
> Even in the latest version must be vulnerable.
>
> Has someone more informations about this ?
>
> Thanks a lot.
>
>
> KoSaK
> www.epsylon.org
> French Staff
>