|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Insecure input balidation in YaBB Search.pl
From: rpc (h
CKZ.ORG)Date: Tue Nov 07 2000 - 05:01:46 CST
- Next message: Warner Losh: "Re: FreeBSD Security Advisory: FreeBSD-SA-00:62.top [REISSUED]"
- Previous message: Kris Kennaway: "Re: FreeBSD Security Advisory: FreeBSD-SA-00:62.top [REISSUED]"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi Everybody,
Kosak reported this problem to vuln-dev last night. I downloaded the script
and did some testing.
There is an input validation problem with the 'catsearch' field, which gets
interpolated in an open statement:
open(FILE, "$boardsdir/$cattosearch") || &fatal_error("$txt{'23'}
$currentboard.txt");
where $cattosearch is a localized $catsearch, assigned:
$catsearch = $FORM{'catsearch'};
An attacker could easily create a malicious html form with a catsearch such as:
./../../../../../usr/bin/touch%20/tmp/foo|
The amount of directory traversal will vary from site to site, depending on
their YaBB setup.
--rpc <hckz.org>
On Mon, 6 Nov 2000 23:32:33 +0100, [ K o S a K ] said:
> Hi,
>
> I heard it could be possible to execute arbitrary cmd accross a script
> called search.pl from the YaBB package.
> I know that lots of web site has been defaced by this exploit, but i haven't
> found it yet.
> It exploits an insecure input in the script.
> Even in the latest version must be vulnerable.
>
> Has someone more informations about this ?
>
> Thanks a lot.
>
>
> KoSaK
> www.epsylon.org
> French Staff
>
- Next message: Warner Losh: "Re: FreeBSD Security Advisory: FreeBSD-SA-00:62.top [REISSUED]"
- Previous message: Kris Kennaway: "Re: FreeBSD Security Advisory: FreeBSD-SA-00:62.top [REISSUED]"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]