[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : YaBB 9.1.2000 Multiple Vulnerabilities

Title: YaBB 9.1.2000 Multiple Vulnerabilities
Released by: Synnergy
Date: 11th September 2000
Printable version: Click here

           +  YaBB 9.1.2000 Multiple Vulnerabilities  +


           #            Advisory by pestilence             #

           #               www.synnergy.net                #


Affected program:       YABB 9.1.2000 (previous ?)

System          :       Linux, UNIX, Windows

Problem         :       Problem located in all scripts that handle


Discovery       :       pestilence@synnergy.net



YaBB is the internet's second Open Source Bulletin Board system. A

Bulletin Board is software to add interactivity to your site. Someone

can post a question, which other visitors can answer. A bulletin board

keeps your visitors coming back

This product can be downloaded from http://www.yabb.org



1) When YaBB.pl is called with the variable $display  and  $num (this is

the variable that handles the file) it opens a file without any security

check for reading, allthough the script that is responsible for handling

the file, appends a .txt extension, a user is able to force the script


open any file he wants by adding %00 to the end of the request, thus

forcing the script to ommit the .txt extension.

The problem is located within the Display.pl script:

sub Display {

    $viewnum = $INFO{'num'};

    open(FILE, "$vardir/membergroups.txt");


    @membergroups = ;



    open(FILE, "$datadir/$viewnum.txt") || &fatal_error("$txt{'23'}

Note that the program is subject to more Vulnerabities as most of the

scripts that handle user input don't do any security checks (even the

basic ones).

For instance:


. will open the passwd file.



The vendors have been informed of the bug.

Wait for the next patched version of YaBB to be released.


WEB: http://www.synnergy.net

email: pestilence@synnergy.net

Kostas Petrakis aka Pestilence


(C) 1999-2000 All rights reserved.