SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   YaBB SE Vendors:   YaBBSE.org
YaBB SE Forum 'News.php' Include Bug Lets Remote Users Execute Arbitrary Code on the System
SecurityTracker Alert ID:  1005985
SecurityTracker URL:  http://securitytracker.com/id/1005985
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 24 2003
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 1.5.1 and prior
Description:   A vulnerability was reported in the YaBB SE forum software in the configuration of the 'News.php' script. A remote user can execute arbitrary code on the target server.

Mindwarper reported that the 'News.php' script is located in the YaBB SE root directory instead of the '/Sources' directory. As a result, a remote user can install YaBB SE on their own host and then call News.php on the target server, specifying values for $db_server, $db_user, $db_passwd, and $db_name that point to the remote user's YaBB SE SQL database.

This will reportedly cause the target News.php script to accept the remote user's definition of the $template variable. If the $template variable points to a remotely located file controlled by the remote user, the target server will execute code contained in that file. The code will be execute with the privileges of the target web server.

The vendor has reportedly been notified.

Impact:   A remote user can execute arbitrary PHP code, including operating system commands, on the target server with the privileges of the web server process.
Solution:   No solution was available at the time of this entry.

The author of the report recommends renaming News.php to News.inc while waiting for a vendor patch.

Vendor URL:  www.yabbse.org/ (Links to External Site)
Cause:   Configuration error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Another YabbSE Remote Code Execution Vulnerability



YabbSE Remote Code Execution 2 Vulnerability ( By Mindwarper :: mindwarper@hush.com :: )

<------- ------->

----------------------
Vendor Information:
---------------------- 

Homepage : http://www.yabbse.org
Vendor : informed
Mailed advisory: 24/01/02
Vender Response : None


----------------------
Affected Versions:
----------------------

1.5.1 and prior


----------------------
Vulnerability:
----------------------


YabbSE contains a file called News.php which is found in the root directory. For some
unkown reason the vendor did not place this file inside /Sources even though this file
is only intended to be used as an include. An attacker can combine his own server with
the victim in such way that it would allow him/her to inlcude remote arbitrary code on
the victim's server and run it with webserver permissions.

The attack works as following:

********
..

$dbcon = mysql_connect($db_server,$db_user,$db_passwd);
mysql_select_db ($db_name);

..

********

First of all we can see News.php is trying to connect to the sql database. We can see that
the variables above that contain the database information are not defined and may be
changed by the attacker. If the attacker installs yabbse on his/her server and allows remote
sql connection, then News.php will think the database has been loaded successfully and run
the following lines:

********
..

	if ($template == null)
		include("news_template.php");
	else
	{
		if ($ext == null)
			include($template.".php");
		else
			include($template.".".$ext);
	}

..

********

Since template is never defined before, the attacker may inject into $template his/her own
remote file. News.php will include the attacker's code and run it on the server and give 
the attacker the ability to execute arbitrary code on the server with webserver permissions.


----------------------
Solution:
---------------------- 

Please check the vendor's website for new patches.

As a temporary solution rename News.php to News.inc and wait for vendor's reply.


----------------------
Greetz:
----------------------

daemorhedron, Hawkje, Truckle, Cyon, Include

<------- ------->




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC