[LWN Logo]
[Timeline]
Date:         Sun, 10 Sep 2000 06:26:59 +0300
From: pestilence <pestilence@SYNNERGY.NET>
Subject:      YaBB 1.9.2000 Vulnerabilitie
To: BUGTRAQ@SECURITYFOCUS.COM

           *************************************************
           +  YaBB 9.1.2000 Multiple Vulnerabilities  +
           *************************************************
           #            Advisory by pestilence             #
           #               www.synnergy.net                #
           |===============================================|



Affected program:       YABB 9.1.2000 (previous ?)
System          :       Linux, UNIX, Windows
Problem         :       Problem located in all scripts that handle
files.
Discovery       :       pestilence@synnergy.net

Discussion
----------
YaBB is the internet's second Open Source Bulletin Board system. A
Bulletin Board is software to add interactivity to your site. Someone
can post a question, which other visitors can answer. A bulletin board
keeps your visitors coming back
This product can be downloaded from http://www.yabb.org


Vulnerability
-------------
1) When YaBB.pl is called with the variable $display  and  $num (this is

the variable that handles the file) it opens a file without any security

check for reading, allthough the script that is responsible for handling

the file, appends a .txt extension, a user is able to force the script
to
open any file he wants by adding %00 to the end of the request, thus
forcing the script to ommit the .txt extension.
The problem is located within the Display.pl script:

sub Display {
    $viewnum = $INFO{'num'};
    open(FILE, "$vardir/membergroups.txt");
    &lock(FILE);
    @membergroups = <FILE>;
    &unlock(FILE);
    close(FILE);
    open(FILE, "$datadir/$viewnum.txt") || &fatal_error("$txt{'23'}

Note that the program is subject to more Vulnerabities as most of the
scripts that handle user input don't do any security checks (even the
basic ones).


For instance:
http://www.my_target.com/cgi-bin/YaBB.pl?board=news&action=display&num=../../../../../../../../etc/passwd%00

. will open the passwd file.

Solution
--------

The vendors have been informed of the bug.

Wait for the next patched version of YaBB to be released.

----------------------------------------
WEB: http://www.synnergy.net
email: pestilence@synnergy.net
Kostas Petrakis aka Pestilence
----------------------------------------