************************************************* + YaBB 9.1.2000 Multiple Vulnerabilities + ************************************************* # Advisory by pestilence # # www.synnergy.net # |===============================================| Affected program: YABB 9.1.2000 (previous ?) System : Linux, UNIX, Windows Problem : Problem located in all scripts that handle files. Discovery : pestilence@synnergy.net Discussion ---------- YaBB is the internet's second Open Source Bulletin Board system. A Bulletin Board is software to add interactivity to your site. Someone can post a question, which other visitors can answer. A bulletin board keeps your visitors coming back This product can be downloaded from http://www.yabb.org Vulnerability ------------- 1) When YaBB.pl is called with the variable $display and $num (this is the variable that handles the file) it opens a file without any security check for reading, allthough the script that is responsible for handling the file, appends a .txt extension, a user is able to force the script to open any file he wants by adding %00 to the end of the request, thus forcing the script to ommit the .txt extension. The problem is located within the Display.pl script: sub Display { $viewnum = $INFO{'num'}; open(FILE, "$vardir/membergroups.txt"); &lock(FILE); @membergroups = ; &unlock(FILE); close(FILE); open(FILE, "$datadir/$viewnum.txt") || &fatal_error("$txt{'23'} Note that the program is subject to more Vulnerabities as most of the scripts that handle user input don't do any security checks (even the basic ones). For instance: http://www.my_target.com/cgi-bin/YaBB.pl?board=news&action=display&num=../../../../../../../../etc/passwd%00 . will open the passwd file. Solution -------- The vendors have been informed of the bug. Wait for the next patched version of YaBB to be released. ---------------------------------------- WEB: http://www.synnergy.net email: pestilence@synnergy.net Kostas Petrakis aka Pestilence ----------------------------------------